Computer Repair Center would post the daily security alert below. Please check if your server, web server, email server and PC have below Vulnerabilities and fix it as soon as possible. You may also contact our IT expertises at 9145-7188.
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Insaat--Fikir Odalari AdminPando | A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation). | 2026-02-03 | 10 | CVE-2025-10878 | https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/ https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi |
| Zenitel--TCIS-3+ | This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. | 2026-02-04 | 10 | CVE-2025-59818 | Zenitel Release Notes Turbine Zenitel Security Advisory Zenitel Release Notes Fortitude8 Zenitel Release Notes ZIPS Zenitel Release Notes Fortitude6 Zenitel Release Notes Display Series |
| n/a--Docan[.]co | Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system. | 2026-02-03 | 10 | CVE-2025-70841 | https://codecanyon.net/item/dokans-multitenancy-based-ecommerce-platform-saas/31122915 https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-70841.md |
| Synectix--LAN 232 TRIO | The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or factory reset the device. | 2026-02-03 | 10 | CVE-2026-1633 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-04.json |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0. | 2026-02-02 | 10 | CVE-2026-23515 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27. | 2026-02-02 | 10 | CVE-2026-25142 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7 https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3 https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0. | 2026-02-03 | 10 | CVE-2026-25510 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25520 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25586 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-jjpw-65fv-8g48 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25587 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| microsoft--semantic-kernel | Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed. | 2026-02-06 | 10 | CVE-2026-25592 | https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4 https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64 |
| WaterFutures--EPyT-Flow | EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow's REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1. | 2026-02-06 | 10 | CVE-2026-25632 | https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68 https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385 https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25641 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 https://github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts#L304-L304 |
| StreamRipper--StreamRipper32 | StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a malicious payload exceeding 256 bytes to potentially execute arbitrary code and compromise the application. | 2026-02-03 | 9.8 | CVE-2020-37065 | ExploitDB-48517 StreamRipper Vendor Homepage VulnCheck Advisory: StreamRipper32 2.6 - Buffer Overflow |
| GoldWave--GoldWave | GoldWave 5.70 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting malicious input in the File Open URL dialog. Attackers can generate a specially crafted text file with Unicode-encoded shellcode to trigger a stack-based overflow and execute commands when the file is opened. | 2026-02-03 | 9.8 | CVE-2020-37066 | ExploitDB-48510 Official Vendor Homepage VulnCheck Advisory: GoldWave 5.70 – Buffer Overflow (SEH Unicode) |
| Utillyty--Filetto | Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 bytes of repeated characters to trigger a buffer overflow and terminate the FTP service. | 2026-02-03 | 9.8 | CVE-2020-37067 | ExploitDB-48503 Vendor Homepage Software Project Repository VulnCheck Advisory: Filetto 1.0 - 'FEAT' Denial of Service |
| Konica Minolta--FTP Utility | Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the LIST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code. | 2026-02-03 | 9.8 | CVE-2020-37068 | ExploitDB-48501 Konica Minolta FTP Utility Download Page Konica Minolta Vendor Homepage VulnCheck Advisory: Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service |
| Konica Minolta--FTP Utility | Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the NLST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code. | 2026-02-03 | 9.8 | CVE-2020-37069 | ExploitDB-48502 Konica Minolta FTP Utility Download Page Konica Minolta Vendor Homepage VulnCheck Advisory: Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service |
| CloudMe--CloudMe | CloudMe 1.11.2 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code through crafted network packets. Attackers can exploit the vulnerability by sending a specially crafted payload to the CloudMe service running on port 8888, enabling remote code execution. | 2026-02-03 | 9.8 | CVE-2020-37070 | ExploitDB-48499 CloudMe Official Homepage VulnCheck Advisory: CloudMe 1.11.2 - Buffer Overflow (SEH,DEP,ASLR) |
| CraftCMS--CraftCMS | CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request. | 2026-02-03 | 9.8 | CVE-2020-37071 | ExploitDB-48492 Official CraftCMS Vendor Homepage CraftCMS vCard Plugin Page Researcher Exploit Disclosure VulnCheck Advisory: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution |
| LizardSystems--Remote Desktop Audit | Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) bypass and execute shellcode when importing computer lists. | 2026-02-03 | 9.8 | CVE-2020-37074 | ExploitDB-48465 Remote Desktop Audit Product Webpage VulnCheck Advisory: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH) |
| LizardSystems--LanSend | LanSend 3.2 contains a buffer overflow vulnerability in the Add Computers Wizard file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) overwrite and execute shellcode when importing computers from a file. | 2026-02-03 | 9.8 | CVE-2020-37075 | ExploitDB-48461 LanSend Product Webpage VulnCheck Advisory: LanSend 3.2 - Buffer Overflow (SEH) |
| luiswang--webTareas | webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the 'atttmp1' parameter to specify and delete files on the server through an unauthenticated file deletion mechanism. | 2026-02-03 | 9.8 | CVE-2020-37080 | ExploitDB-48430 webTareas Project Homepage VulnCheck Advisory: webTareas 2.0.p8 - Arbitrary File Deletion |
| Weberp--webERP | webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backup_[timestamp].sql.gz file. | 2026-02-03 | 9.8 | CVE-2020-37082 | ExploitDB-48420 Official webERP Vendor Homepage webERP SourceForge Project Page VulnCheck Advisory: webERP 4.15.1 - Unauthenticated Backup File Access |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server. | 2026-02-03 | 9.8 | CVE-2020-37090 | ExploitDB-48392 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 - Remote Code Execution |
| EspoCRM--EspoCRM | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | 2026-02-03 | 9.8 | CVE-2020-37094 | ExploitDB-48376 EspoCRM Official Vendor Homepage VulnCheck Advisory: EspoCRM 5.8.5 - Privilege Escalation |
| Cyberoam--Cyberoam Authentication Client | Cyberoam Authentication Client 2.1.2.7 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) memory. Attackers can craft a malicious input in the 'Cyberoam Server Address' field to trigger a bind TCP shell on port 1337 with system-level access. | 2026-02-06 | 9.8 | CVE-2020-37095 | ExploitDB-48148 Archived Cyberoam Authentication Client Software VulnCheck Advisory: Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH) |
| Nsasoft--Nsauditor | Nsauditor 3.0.28 and 3.2.1.0 contains a buffer overflow vulnerability in the DNS Lookup tool that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious DNS query payload to trigger a three-byte overwrite, bypass ASLR, and execute shellcode through a carefully constructed exploit. | 2026-02-05 | 9.8 | CVE-2020-37119 | ExploitDB-48350 Nsauditor Homepage VulnCheck Advisory: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite)) |
| Rubo Medical Imaging--Rubo DICOM Viewer | Rubo DICOM Viewer 2.0 contains a buffer overflow vulnerability in the DICOM server name input field that allows attackers to overwrite Structured Exception Handler (SEH). Attackers can craft a malicious text file with carefully constructed payload to execute arbitrary code by overwriting SEH and triggering remote code execution. | 2026-02-05 | 9.8 | CVE-2020-37120 | ExploitDB-48351 Archived Rubo DICOM Viewer Product Page VulnCheck Advisory: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH) |
| wcchandler--Pinger | Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. | 2026-02-05 | 9.8 | CVE-2020-37123 | ExploitDB-48323 Pinger GitHub Repository VulnCheck Advisory: Pinger 1.0 - Remote Code Execution |
| 4Mhz--B64dec | B64dec 1.1.2 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) with crafted input. Attackers can leverage an egg hunter technique and carefully constructed payload to inject and execute malicious code during base64 decoding process. | 2026-02-05 | 9.8 | CVE-2020-37124 | ExploitDB-48317 Product Webpage VulnCheck Advisory: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter) |
| EDIMAX Technology--EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device. | 2026-02-05 | 9.8 | CVE-2020-37125 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution |
| Drive Software Company--Free Desktop Clock | Free Desktop Clock 3.0 contains a stack overflow vulnerability in the Time Zones display name input that allows attackers to overwrite Structured Exception Handler (SEH) registers. Attackers can exploit the vulnerability by crafting a malicious Unicode input that triggers an access violation and potentially execute arbitrary code. | 2026-02-05 | 9.8 | CVE-2020-37126 | ExploitDB-48314 Vendor Homepage VulnCheck Advisory: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) |
| Microvirt--Memu Play | Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions. | 2026-02-05 | 9.8 | CVE-2020-37129 | ExploitDB-48283 Memu Play Official Homepage VulnCheck Advisory: Memu Play 7.1.3 - Insecure Folder Permissions |
| 10-Strike Software--Network Inventory Explorer | 10-Strike Network Inventory Explorer 9.03 contains a buffer overflow vulnerability in the file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious text file with carefully constructed payload to trigger a stack-based buffer overflow and bypass data execution prevention through a ROP chain. | 2026-02-05 | 9.8 | CVE-2020-37138 | ExploitDB-48264 10-Strike Software Homepage 10-Strike Network Inventory Explorer Product Page VulnCheck Advisory: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP) |
| Parallaxis--Cuckoo Clock | Parallaxis Cuckoo Clock 5.0 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory registers in the alarm scheduling feature. Attackers can craft a malicious payload exceeding 260 bytes to overwrite EIP and EBP, enabling shellcode execution with potential remote code execution. | 2026-02-06 | 9.8 | CVE-2020-37159 | ExploitDB-48087 Vendor Homepage VulnCheck Advisory: Cuckoo Clock 5.0 - Buffer Overflow |
| Wedding Slideshow Studio--Wedding Slideshow Studio | Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the registration name field with malicious payload. Attackers can craft a specially designed payload to trigger remote code execution, demonstrating the ability to run system commands like launching the calculator. | 2026-02-06 | 9.8 | CVE-2020-37161 | ExploitDB-48050 Wedding Slideshow Studio Official Homepage VulnCheck Advisory: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow |
| Wedding Slideshow Studio--Wedding Slideshow Studio | Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability in the registration key input that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload of 1608 bytes to trigger a stack-based buffer overflow and execute commands through the registration key field. | 2026-02-06 | 9.8 | CVE-2020-37162 | ExploitDB-48028 Archived Wedding Slideshow Studio Webpage VulnCheck Advisory: Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. | 2026-02-02 | 9.8 | CVE-2022-50981 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| IBM--Common Cryptographic Architecture | IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system. | 2026-02-04 | 9.8 | CVE-2025-13375 | https://www.ibm.com/support/pages/node/7259625 |
| jayarsiech--JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_login_register_ajax_create_final_user' function. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | 2026-02-08 | 9.8 | CVE-2025-15027 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b08198a6-10e8-44ca-a1c5-8d987d85c469?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.5.01/includes/jay-login-register-ajax-handler.php#L788 |
| Emit Informatics and Communication Technologies Industry and Trade Ltd. Co.--DIGITA Efficiency Management System | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency Management System: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 9.8 | CVE-2025-5319 | https://www.usom.gov.tr/bildirim/tr-26-0016 |
| Martcode Software Inc.--Delta Course Automation | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection. This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-04 | 9.8 | CVE-2025-5329 | https://www.usom.gov.tr/bildirim/tr-26-0018 |
| Unstructured-IO--unstructured | The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18. | 2026-02-04 | 9.8 | CVE-2025-64712 | https://github.com/Unstructured-IO/unstructured/security/advisories/GHSA-gm8q-m8mv-jj5m https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d |
| wildfirechat--im-server | Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3. | 2026-02-02 | 9.8 | CVE-2025-66480 | https://github.com/wildfirechat/im-server/security/advisories/GHSA-74hq-jhx2-fq6c https://github.com/wildfirechat/im-server/commit/2f9c4e028c01c64913cab32e7248bcca183a5230 https://github.com/wildfirechat/im-server/releases/tag/1.4.3 |
| revmakx--WP Duplicate WordPress Migration Plugin | The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution. | 2026-02-06 | 9.8 | CVE-2026-1499 | https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail= |
| Rapid7--Vulnerability Management | Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM. | 2026-02-03 | 9.6 | CVE-2026-1568 | https://docs.rapid7.com/insight/command-platform-release-notes/ |
| RISS SRL--MOMA Seismic Station | MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. | 2026-02-03 | 9.1 | CVE-2026-1632 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-03.json |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate. | 2026-02-06 | 9.4 | CVE-2026-1709 | RHSA-2026:2224 RHSA-2026:2225 RHSA-2026:2298 https://access.redhat.com/security/cve/CVE-2026-1709 RHBZ#2435514 |
| IP-COM--W30AP | A vulnerability was detected in IP-COM W30AP up to 1.0.0.11(1340). Affected by this issue is the function R7WebsSecurityHandler of the file /goform/wx3auth of the component POST Request Handler. The manipulation of the argument data results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 9.8 | CVE-2026-2017 | VDB-344599 | IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow VDB-344599 | CTI Indicators (IOB, IOC, IOA) Submit #744062 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow Submit #744063 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow (Duplicate) https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md#poc |
| Fortinet--FortiClientEMS | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | 2026-02-06 | 9.1 | CVE-2026-21643 | https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1. | 2026-02-02 | 9.8 | CVE-2026-22778 | https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv https://github.com/vllm-project/vllm/pull/31987 https://github.com/vllm-project/vllm/pull/32319 https://github.com/vllm-project/vllm/releases/tag/v0.14.1 |
| Microsoft--Azure Front Door | Azure Front Door Elevation of Privilege Vulnerability | 2026-02-05 | 9.8 | CVE-2026-24300 | Azure Front Door Elevation of Privilege Vulnerability |
| NixOS--nixpkgs | The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05. | 2026-02-02 | 9.1 | CVE-2026-25137 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px https://github.com/NixOS/nixpkgs/pull/485310 https://github.com/NixOS/nixpkgs/pull/485454 |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0. | 2026-02-03 | 9.3 | CVE-2026-25150 | https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7 |
| AlistGo--alist | Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0. | 2026-02-04 | 9.1 | CVE-2026-25160 | https://github.com/AlistGo/alist/security/advisories/GHSA-8jmm-3xwx-w974 https://github.com/AlistGo/alist/commit/69629ca76a8f2c8c973ede3b616f93aa26ff23fb |
| Samsung Electronics--MagicINFO 9 Server | A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 9.8 | CVE-2026-25200 | https://security.samsungtv.com/securityUpdates |
| Samsung Electronics--MagicINFO 9 Server | The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 9.8 | CVE-2026-25202 | https://security.samsungtv.com/securityUpdates |
| maziggy--bambuddy | Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7. | 2026-02-04 | 9.8 | CVE-2026-25505 | https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf https://github.com/maziggy/bambuddy/pull/225 https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9 https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28 https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md https://github.com/maziggy/bambuddy/releases/tag/v0.1.7 |
| HubSpot--jinjava | JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3. | 2026-02-04 | 9.8 | CVE-2026-25526 | https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74 https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998 https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441 https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6 https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5. | 2026-02-04 | 9.1 | CVE-2026-25539 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9 https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb |
| payloadcms--payload | Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0. | 2026-02-06 | 9.8 | CVE-2026-25544 | https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8 |
| blakeblackshear--frigate | Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4. | 2026-02-06 | 9.1 | CVE-2026-25643 | https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4 |
| denpiligrim--3dp-manager | 3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2. | 2026-02-06 | 9.8 | CVE-2026-25803 | https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248 |
| OXID-eSales--OXID eShop | OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs. | 2026-02-03 | 8.2 | CVE-2019-25260 | ExploitDB-48527 Official OXID eShop Vendor Homepage OXID eShop Community Edition GitHub Repository Archived Researcher Disclosure Archived RIPSTech Security Blog OXID eShop Bug Tracking Entry VulnCheck Advisory: OXID eShop 6.3.4 - 'sorting' SQL Injection |
| VictorAlagwu--CMSsite | Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing the uploaded file with a 'cmd' parameter. | 2026-02-03 | 8.8 | CVE-2020-37073 | ExploitDB-48490 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 - Authenticated Arbitrary File Upload |
| VictorAlagwu--CMSsite | Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based, error-based, and time-based injection techniques. | 2026-02-03 | 8.2 | CVE-2020-37076 | ExploitDB-48451 Victor CMS GitHub Repository VulnCheck Advisory: Victor CMS 1.0 - 'post' SQL Injection |
| i-doit GmbH--i-doit Open Source CMDB | i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem. | 2026-02-03 | 8.8 | CVE-2020-37078 | ExploitDB-48427 Official Vendor Homepage i-doit SourceForge Project VulnCheck Advisory: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion |
| chatelao--PHP Address Book | PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint. | 2026-02-03 | 8.2 | CVE-2020-37083 | ExploitDB-48416 SourceForge Product Page VulnCheck Advisory: addressbook 9.0.0.1 - 'id' SQL Injection |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information. | 2026-02-03 | 8.2 | CVE-2020-37089 | ExploitDB-48390 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 - 'es_messagesid' SQL Injection |
| Davidvg--60CycleCMS | 60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting. | 2026-02-03 | 8.2 | CVE-2020-37110 | ExploitDB-48177 Software Download Link VulnCheck Advisory: 60CycleCMS 2.5.2 - 'news.php' SQL Injection Vulnerability |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. | 2026-02-03 | 8.8 | CVE-2020-37113 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - File Upload Extension Bypass |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise. | 2026-02-03 | 8.8 | CVE-2020-37116 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - phpMyAdmin Remote Access |
| jizhiCMS--jizhiCMS | jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. | 2026-02-05 | 8.8 | CVE-2020-37117 | ExploitDB-48361 Official Vendor Homepage VulnCheck Advisory: jizhiCMS 1.6.7 - Arbitrary File Download |
| Odin-Secure-Ftp-Expert--Odin Secure FTP Expert | Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields, causing the application to crash. | 2026-02-05 | 8.4 | CVE-2020-37139 | ExploitDB-48262 Archived Software Download VulnCheck Advisory: Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service |
| AMSS++--AMSS++ | AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module's maildetail.php script through the 'id' parameter. Attackers can manipulate the 'id' parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents. | 2026-02-06 | 8.2 | CVE-2020-37141 | ExploitDB-48109 VulnCheck Advisory: AMSS++ v 4.31 - 'id' SQL Injection |
| 10-Strike Software--Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. Attackers can craft a malicious payload targeting the 'Computer' parameter during the 'Add' function to trigger remote code execution. | 2026-02-05 | 8.4 | CVE-2020-37142 | ExploitDB-48253 10-Strike Software Homepage Archived Researcher Blog VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH) |
| EDIMAX Technology--EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges. | 2026-02-05 | 8.1 | CVE-2020-37149 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Cross-Site Request Forgery (CSRF) to Command Execution |
| Ciprianmp--phpMyChat Plus | phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to extract sensitive database information by crafting malicious payloads in the username field. | 2026-02-05 | 8.2 | CVE-2020-37151 | ExploitDB-48066 Vendor Homepage VulnCheck Advisory: phpMyChat Plus 1.98 'deluser.php' SQL Injection |
| QuickDate--QuickDate | QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, database name, and system version. | 2026-02-06 | 8.2 | CVE-2020-37163 | ExploitDB-48022 Archived QuickDate Script Webpage VulnCheck Advisory: QuickDate 1.3.2 - SQL Injection |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. | 2026-02-02 | 8.8 | CVE-2022-50975 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Mitsubishi Electric Corporation--FREQSHIP-mini for Windows | Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation FREQSHIP-mini for Windows versions 8.0.0 to 8.0.2 allows a local attacker to execute arbitrary code with system privileges by replacing service executable files (EXE) or DLLs in the installation directory with specially crafted files. As a result, the attacker may be able to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a Denial of Service (DoS) condition on the affected system. | 2026-02-05 | 8.8 | CVE-2025-10314 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-019_en.pdf https://jvn.jp/jp/JVN64883963/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-01 |
| roxnor--Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Vulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users. | 2026-02-04 | 8.2 | CVE-2025-13192 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9db1dfde-0cba-41b2-ab7a-a1640e5fd96b?source=cve https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L50 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L133 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L382 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L413 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L99 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L133 |
| IBM--Aspera Console | IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2026-02-05 | 8.6 | CVE-2025-13379 | https://www.ibm.com/support/pages/node/7259448 |
| jayarsiech--JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | 2026-02-08 | 8.8 | CVE-2025-15100 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fb900810-23a2-4920-a5e8-4388c4474de0?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.6.01/includes/user-panel/jay-login-register-ajax-handler-user-panel.php#L624 |
| Tanium--Deploy | Tanium addressed an improper input validation vulnerability in Deploy. | 2026-02-05 | 8.8 | CVE-2025-15330 | TAN-2025-012 |
| themeboy--SportsPress Sports Club & League Manager | The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | 2026-02-04 | 8.8 | CVE-2025-15368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/27e40af7-5697-4482-a96d-9216886c363b?source=cve https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L32 https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L182 https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/sp-core-functions.php#L68 |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-06 | 8.8 | CVE-2025-15566 | https://github.com/kubernetes/kubernetes/issues/136789 |
| Ankara Hosting Website Design--Website Software | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 8.6 | CVE-2025-6397 | https://www.usom.gov.tr/bildirim/tr-26-0014 |
| n/a--n/a | An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2026-02-03 | 8.8 | CVE-2025-65875 | http://www.fpdf.org https://github.com/Setasign/FPDF https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/ |
| N/A--Moodle[.]org | A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted. | 2026-02-03 | 8.1 | CVE-2025-67848 | https://access.redhat.com/security/cve/CVE-2025-67848 RHBZ#2423831 https://moodle.org/mod/forum/discuss.php?d=471298 |
| AKCE Software Technology R&D Industry and Trade Inc.--SKSPro | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection. This issue affects SKSPro: through 07012026. | 2026-02-02 | 8.6 | CVE-2025-8587 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests. | 2026-02-03 | 8.1 | CVE-2026-1375 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463 https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php |
| Red Hat--Red Hat Satellite 6 | A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise. | 2026-02-02 | 8.1 | CVE-2026-1530 | https://access.redhat.com/security/cve/CVE-2026-1530 RHBZ#2433784 |
| Red Hat--Red Hat Satellite 6 | A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information. | 2026-02-02 | 8.1 | CVE-2026-1531 | https://access.redhat.com/security/cve/CVE-2026-1531 RHBZ#2433786 |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-03 | 8.8 | CVE-2026-1580 | https://github.com/kubernetes/kubernetes/issues/136677 |
| skirridsystems--OS DataHub Maps | The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-02-03 | 8.8 | CVE-2026-1730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67 https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51 https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87 https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps |
| seezee--WP FOFT Loader | The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-02-04 | 8.8 | CVE-2026-1756 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cede8ff5-f739-4eb3-9672-5adb5d2ae0a9?source=cve https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L45 https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L31 https://plugins.trac.wordpress.org/changeset/3453101/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. | 2026-02-02 | 8.6 | CVE-2026-1761 | RHSA-2026:1948 RHSA-2026:2005 RHSA-2026:2006 RHSA-2026:2007 RHSA-2026:2008 RHSA-2026:2049 RHSA-2026:2182 RHSA-2026:2214 RHSA-2026:2215 RHSA-2026:2216 https://access.redhat.com/security/cve/CVE-2026-1761 RHBZ#2435961 |
| Ziroom--ZHOME A0101 | A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 8.1 | CVE-2026-1803 | VDB-343976 | Ziroom ZHOME A0101 Dropbear SSH Service default credentials VDB-343976 | CTI Indicators (IOB, IOC) Submit #745497 | Ziroom Smart Ziroom Smart Gateway (ZH-A0101) ZH-A0101 1.0.1.0 Backdoor Submit #745529 | Ziroom Smart Smart Gateway ZH-A0101 ZH-A0101 1.0.1.0 Credentials Management (Duplicate) https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md#proof-of-concept |
| Karel Electronics Industry and Trade Inc.--ViPort | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS. This issue affects ViPort: through 23012026. | 2026-02-04 | 8.8 | CVE-2026-1819 | https://www.usom.gov.tr/bildirim/tr-26-0017 |
| Cisco--Cisco Meeting Management | A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in certain sections of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to upload arbitrary files to the affected system. The malicious files could overwrite system files that are processed by the root system account and allow arbitrary command execution with root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of video operator. | 2026-02-04 | 8.8 | CVE-2026-20098 | cisco-sa-cmm-file-up-kY47n8kK |
| UTT-- 520W | A weakness has been identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formIpGroupConfig. Executing a manipulation of the argument groupName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2066 | VDB-344633 | UTT 进取 520W formIpGroupConfig strcpy buffer overflow VDB-344633 | CTI Indicators (IOB, IOC, IOA) Submit #745260 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/36.md https://github.com/cymiao1978/cve/blob/main/new/36.md#poc |
| UTT-- 520W | A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTimeGroupConfig. The manipulation of the argument year1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2067 | VDB-344634 | UTT 进取 520W formTimeGroupConfig strcpy buffer overflow VDB-344634 | CTI Indicators (IOB, IOC, IOA) Submit #745261 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/37.md https://github.com/cymiao1978/cve/blob/main/new/37.md#poc |
| UTT-- 520W | A vulnerability was detected in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/formSyslogConf. The manipulation of the argument ServerIp results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2068 | VDB-344635 | UTT 进取 520W formSyslogConf strcpy buffer overflow VDB-344635 | CTI Indicators (IOB, IOC, IOA) Submit #745262 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/38.md https://github.com/cymiao1978/cve/blob/main/new/38.md#poc |
| UTT-- 520W | A vulnerability has been found in UTT 进取 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/formPolicyRouteConf. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2070 | VDB-344637 | UTT 进取 520W formPolicyRouteConf strcpy buffer overflow VDB-344637 | CTI Indicators (IOB, IOC, IOA) Submit #745264 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/39.md |
| UTT-- 520W | A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 8.8 | CVE-2026-2071 | VDB-344638 | UTT 进取 520W formP2PLimitConfig strcpy buffer overflow VDB-344638 | CTI Indicators (IOB, IOC, IOA) Submit #745265 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/40.md |
| UTT--HiPER 810G | A vulnerability was detected in UTT HiPER 810G up to 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formFireWall of the component Management Interface. The manipulation of the argument GroupName results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 8.8 | CVE-2026-2086 | VDB-344653 | UTT HiPER 810G Management formFireWall strcpy buffer overflow VDB-344653 | CTI Indicators (IOB, IOC, IOA) Submit #746502 | UTT (AiTai) HiPER 810G <= v3v1.7.7-171114 Buffer Overflow https://github.com/alc9700jmo/CVE/issues/22 https://github.com/alc9700jmo/CVE/issues/22#issue-3851242657 |
| Tenda--TX3 | A vulnerability has been found in Tenda TX3 up to 16.03.13.11_multi. This impacts an unknown function of the file /goform/SetIpMacBind. The manipulation of the argument list leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 8.8 | CVE-2026-2137 | VDB-344772 | Tenda TX3 SetIpMacBind buffer overflow VDB-344772 | CTI Indicators (IOB, IOC, IOA) Submit #747239 | Tenda TX3 V16.03.13.11_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md#poc https://www.tenda.com.cn/ |
| Tenda--TX9 | A vulnerability was found in Tenda TX9 up to 22.03.02.10_multi. Affected is the function sub_42D03C of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-08 | 8.8 | CVE-2026-2138 | VDB-344773 | Tenda TX9 SetStaticRouteCfg sub_42D03C buffer overflow VDB-344773 | CTI Indicators (IOB, IOC, IOA) Submit #747249 | Tenda TX9 V22.03.02.10_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md#poc https://www.tenda.com.cn/ |
| Tenda--TX9 | A vulnerability was determined in Tenda TX9 up to 22.03.02.10_multi. Affected by this vulnerability is the function sub_432580 of the file /goform/fast_setting_wifi_set. This manipulation of the argument ssid causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 8.8 | CVE-2026-2139 | VDB-344774 | Tenda TX9 fast_setting_wifi_set sub_432580 buffer overflow VDB-344774 | CTI Indicators (IOB, IOC, IOA) Submit #747250 | Tenda TX9 V22.03.02.10_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md#poc https://www.tenda.com.cn/ |
| Tenda--TX9 | A vulnerability was identified in Tenda TX9 up to 22.03.02.10_multi. Affected by this issue is the function sub_4223E0 of the file /goform/setMacFilterCfg. Such manipulation of the argument deviceList leads to buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-02-08 | 8.8 | CVE-2026-2140 | VDB-344775 | Tenda TX9 setMacFilterCfg sub_4223E0 buffer overflow VDB-344775 | CTI Indicators (IOB, IOC, IOA) Submit #747251 | Tenda TX9 V22.03.02.10_multi Buffer Overflow Submit #749747 | Tenda TX9 V22.03.02.18 Stack-based Buffer Overflow (Duplicate) https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md#poc https://www.tenda.com.cn/ |
| Microsoft--Azure Functions | Azure Function Information Disclosure Vulnerability | 2026-02-05 | 8.2 | CVE-2026-21532 | Azure Function Information Disclosure Vulnerability |
| Tenda--RX3 | A vulnerability was identified in Tenda RX3 16.03.13.11. Affected is an unknown function of the file /goform/fast_setting_wifi_set. Such manipulation of the argument ssid_5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-02-08 | 8.8 | CVE-2026-2180 | VDB-344883 | Tenda RX3 fast_setting_wifi_set stack-based overflow VDB-344883 | CTI Indicators (IOB, IOC, IOA) Submit #749703 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/4 https://www.tenda.com.cn/ |
| Tenda--RX3 | A security flaw has been discovered in Tenda RX3 16.03.13.11. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 8.8 | CVE-2026-2181 | VDB-344884 | Tenda RX3 openSchedWifi stack-based overflow VDB-344884 | CTI Indicators (IOB, IOC, IOA) Submit #749710 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/5 https://www.tenda.com.cn/ |
| Tenda--RX3 | A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-02-08 | 8.8 | CVE-2026-2185 | VDB-344888 | Tenda RX3 MAC Filtering Configuration Endpoint setBlackRule set_device_name stack-based overflow VDB-344888 | CTI Indicators (IOB, IOC, IOA) Submit #749715 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/6 https://www.tenda.com.cn/ |
| Tenda--RX3 | A vulnerability has been found in Tenda RX3 16.03.13.11. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 8.8 | CVE-2026-2186 | VDB-344889 | Tenda RX3 SetIpMacBind fromSetIpMacBind stack-based overflow VDB-344889 | CTI Indicators (IOB, IOC, IOA) Submit #749718 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/7 https://www.tenda.com.cn/ |
| Tenda--RX3 | A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-02-08 | 8.8 | CVE-2026-2187 | VDB-344890 | Tenda RX3 formSetQosBand set_qosMib_list stack-based overflow VDB-344890 | CTI Indicators (IOB, IOC, IOA) Submit #749721 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/8 https://www.tenda.com.cn/ |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46. | 2026-02-04 | 8.1 | CVE-2026-22038 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-rc89-6g7g-v5v7 https://github.com/Significant-Gravitas/AutoGPT/commit/1eabc604842fa876c09d69af43d2d1e8fb9b8eb9 |
| opencloud-eu--reva | REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3. | 2026-02-06 | 8.2 | CVE-2026-23989 | https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators. | 2026-02-02 | 8 | CVE-2026-23997 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h |
| Microsoft--Azure ARC | Azure Arc Elevation of Privilege Vulnerability | 2026-02-05 | 8.6 | CVE-2026-24302 | Azure Arc Elevation of Privilege Vulnerability |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-03 | 8.8 | CVE-2026-24512 | https://github.com/kubernetes/kubernetes/issues/136678 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2. | 2026-02-03 | 8.7 | CVE-2026-24665 | https://github.com/gunet/openeclass/security/advisories/GHSA-2qgm-m7fm-m888 |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | 8.1 | CVE-2026-24737 | https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328 https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79 https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| clawdbot--clawdbot | OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw's Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29. | 2026-02-02 | 8.8 | CVE-2026-24763 | https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75 https://github.com/openclaw/openclaw/releases/tag/v2026.1.29 |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3. | 2026-02-04 | 8.2 | CVE-2026-24843 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4 https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b |
| node-modules--compressing | Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor's handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1. | 2026-02-04 | 8.4 | CVE-2026-24884 | https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3 https://github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c https://github.com/node-modules/compressing/commit/ce1c0131c401c071c77d5a1425bf8c88cfc16361 |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 8.4 | CVE-2026-24926 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| Huawei--HarmonyOS | UAF concurrency vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 8.4 | CVE-2026-24930 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| OpenListTeam--OpenList | OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10. | 2026-02-02 | 8.8 | CVE-2026-25059 | https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14 https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 |
| OpenListTeam--OpenList | OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10. | 2026-02-02 | 8.1 | CVE-2026-25060 | https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389 https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1 https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 |
| AlistGo--alist | Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0. | 2026-02-04 | 8.8 | CVE-2026-25161 | https://github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9 https://github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e |
| Samsung Electronics--MagicINFO 9 Server | An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 8.8 | CVE-2026-25201 | https://security.samsungtv.com/securityUpdates |
| OpenSlides--OpenSlides | OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29. | 2026-02-04 | 8.1 | CVE-2026-25519 | https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c https://github.com/OpenSlides/openslides-auth-service/pull/889 https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec120ecce98d1c1169350a4ee https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29 |
| pydantic--pydantic-ai | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0. | 2026-02-06 | 8.6 | CVE-2026-25580 | https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3 https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301 |
| openclaw--openclaw | OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20. | 2026-02-06 | 8.4 | CVE-2026-25593 | https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg |
| qdrant--qdrant | Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0. | 2026-02-06 | 8.6 | CVE-2026-25628 | https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1 https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195 |
| kovidgoyal--calibre | calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 8.6 | CVE-2026-25635 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9 |
| kovidgoyal--calibre | calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 8.2 | CVE-2026-25636 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29 https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726 |
| Anydesk--AnyDesk | AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges. | 2026-02-03 | 7.8 | CVE-2019-25261 | ExploitDB-47883 Official Vendor Homepage VulnCheck Advisory: AnyDesk 5.4.0 - Unquoted Service Path |
| Wondershare--Wondershare Application Framework Service | Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service's execution context. | 2026-02-06 | 7.8 | CVE-2019-25266 | ExploitDB-47617 Vendor Homepage Software Product Page VulnCheck Advisory: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path |
| Wftpserver--Wing FTP Server | Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25267 | ExploitDB-47818 Wing FTP Server Official Homepage VulnCheck Advisory: Wing FTP Server 6.0.7 - Unquoted Service Path |
| Netgate--Amiti Antivirus | Amiti Antivirus 25.0.640 contains an unquoted service path vulnerability in its Windows service configurations. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges by placing executable files in specific directory locations. | 2026-02-04 | 7.8 | CVE-2019-25269 | ExploitDB-47747 Vendor Homepage VulnCheck Advisory: Amiti Antivirus 25.0.640 - Unquoted Service Path Vulnerability |
| NETGATE--Data Backup | NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations. | 2026-02-04 | 7.8 | CVE-2019-25271 | ExploitDB-47746 Vendor Homepage VulnCheck Advisory: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path |
| Tenaxsoft--TexasSoft CyberPlanet | TexasSoft CyberPlanet 6.4.131 contains an unquoted service path vulnerability in the CCSrvProxy service that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe' to inject malicious executables and gain elevated system privileges. | 2026-02-04 | 7.8 | CVE-2019-25272 | ExploitDB-47724 Vendor Homepage VulnCheck Advisory: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path |
| Easy-Hide-Ip--IP | Easy-Hide-IP 5.0.0.3 contains an unquoted service path vulnerability in the EasyRedirect service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe' to inject malicious executables and escalate privileges. | 2026-02-04 | 7.8 | CVE-2019-25273 | ExploitDB-47712 Vendor Homepage VulnCheck Advisory: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path |
| Photodex--ProShow Producer | ProShow Producer 9.0.3797 contains an unquoted service path vulnerability in the ScsiAccess service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25274 | ExploitDB-47705 Vendor Homepage VulnCheck Advisory: ProShow Producer 9.0.3797 - Unquoted Service Path |
| FileHorse--BartVPN | BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service's execution context. | 2026-02-04 | 7.8 | CVE-2019-25275 | ExploitDB-47675 Vendor Homepage VulnCheck Advisory: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path |
| Rockwellautomation--Studio | Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ to inject malicious code that would execute with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25276 | ExploitDB-47676 Rockwell Automation Homepage VulnCheck Advisory: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path |
| ncp-e--NCP_Secure_Entry_Client | NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25281 | ExploitDB-47668 NCP Software Vendor Homepage VulnCheck Advisory: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths |
| shrew--Shrew Soft VPN Client | Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot. | 2026-02-04 | 7.8 | CVE-2019-25283 | ExploitDB-47660 Vendor Homepage VulnCheck Advisory: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path |
| Alps--device Controller | Alps Pointing-device Controller 8.1202.1711.04 contains an unquoted service path vulnerability in the ApHidMonitorService that allows local attackers to execute code with elevated privileges. Attackers can place a malicious executable in the service path and gain system-level access when the service restarts or the system reboots. | 2026-02-04 | 7.8 | CVE-2019-25285 | ExploitDB-47637 Official Alps Homepage VulnCheck Advisory: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path |
| Gcafe--_GCaf | GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25286 | ExploitDB-47604 GCafé Official Vendor Homepage VulnCheck Advisory: _GCafé 3.0 - 'gbClienService' Unquoted Service Path |
| Webcompanion--Adaware Web Companion version | Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Lavasoft\Web Companion\Application\ to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25287 | ExploitDB-47597 Adaware Web Companion Official Website VulnCheck Advisory: Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path |
| Wacom--Wacom WTabletService | Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots. | 2026-02-04 | 7.8 | CVE-2019-25288 | ExploitDB-47593 Wacom Official Homepage VulnCheck Advisory: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path |
| Alps--Alps HID Monitor Service | Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\Apoint2K\HidMonitorSvc.exe to inject malicious executables and gain system-level access. | 2026-02-06 | 7.8 | CVE-2019-25292 | ExploitDB-47605 Official Product Homepage VulnCheck Advisory: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path |
| bluestacks--Blue Stacks App Player | BlueStacks App Player 2.4.44.62.57 contains an unquoted service path vulnerability in the BstHdLogRotatorSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe to inject malicious executables and escalate privileges. | 2026-02-06 | 7.8 | CVE-2019-25293 | ExploitDB-47582 Official Product Homepage VulnCheck Advisory: Blue Stacks App Player 2.4.44.62.57 - "BstHdLogRotatorSvc" Unquote Service Path |
| lolypop55--html5_snmp | html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by sending crafted payloads. | 2026-02-06 | 7.1 | CVE-2019-25298 | ExploitDB-47588 Vendor Homepage VulnCheck Advisory: html5_snmp 1.11 - 'Router_ID' SQL Injection |
| rimbalinux--AhadPOS | RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or potentially interact with the underlying database. | 2026-02-06 | 7.1 | CVE-2019-25299 | ExploitDB-47585 Vendor Homepage VulnCheck Advisory: rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection |
| thejshen--Globitek CMS | thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information. | 2026-02-06 | 7.1 | CVE-2019-25300 | ExploitDB-47581 Vendor Homepage VulnCheck Advisory: thejshen Globitek CMS 1.4 - 'id' SQL Injection |
| Acer--Launch Manager | Acer Launch Manager 6.1.7600.16385 contains an unquoted service path vulnerability in the DsiWMIService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Launch Manager\dsiwmis.exe to insert malicious code that would execute with system-level permissions during service startup. | 2026-02-06 | 7.8 | CVE-2019-25302 | ExploitDB-47577 Acer Official Website VulnCheck Advisory: Acer Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path |
| thejshen--contentManagementSystem | TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query payloads. | 2026-02-06 | 7.1 | CVE-2019-25303 | ExploitDB-47569 Vendor Homepage VulnCheck Advisory: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection |
| Issivs--Intelligent Security System SecurOS Enterprise | SecurOS Enterprise 10.2 contains an unquoted service path vulnerability in the SecurosCtrlService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\ISS\SecurOS\ to insert malicious code that would execute with system-level permissions during service startup. | 2026-02-06 | 7.8 | CVE-2019-25304 | ExploitDB-47556 Vendor Product Homepage Company Website VulnCheck Advisory: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path |
| Inforprograma--JumpStart | JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions. | 2026-02-06 | 7.8 | CVE-2019-25305 | ExploitDB-47549 Official Product Homepage VulnCheck Advisory: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path |
| VictorAlagwu--CMSsite | Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. | 2026-02-03 | 7.2 | CVE-2020-37072 | ExploitDB-48484 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting |
| Fishing Reservation System--Fishing Reservation System | Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management system and web application without user interaction. | 2026-02-03 | 7.1 | CVE-2020-37081 | ExploitDB-48417 Vulnerability-Lab Researcher Disclosure Fishing Reservation System Homepage VulnCheck Advisory: Fishing Reservation System 7.5 - 'uid' SQL Injection |
| SunnySideSoft--VirtualTablet Server | VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing the server to become unresponsive. | 2026-02-03 | 7.5 | CVE-2020-37085 | ExploitDB-48402 Official Product Homepage VulnCheck Advisory: VirtualTablet Server 3.0.2 - Denial of Service (PoC) |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information. | 2026-02-03 | 7.5 | CVE-2020-37088 | ExploitDB-48394 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 - Arbitrary File Read |
| Netis Systems Co., Ltd.--Netis E1+ | Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. | 2026-02-03 | 7.5 | CVE-2020-37092 | ExploitDB-48382 Netis Systems Official Homepage VulnCheck Advisory: Netis E1+ 1.2.32533 - Backdoor Account (root) |
| Netis Systems Co., Ltd.--Netis E1+ | Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text. | 2026-02-03 | 7.5 | CVE-2020-37093 | ExploitDB-48384 Netis Systems Official Homepage VulnCheck Advisory: Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak |
| EDIMAX Technology Co., Ltd.--EW-7438RPn Mini | Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configuration variables. | 2026-02-03 | 7.5 | CVE-2020-37097 | ExploitDB-48365 Edimax EW-7438RPn Product Homepage VulnCheck Advisory: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password) |
| DiskSorter--Disk Sorter Enterprise | Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-03 | 7.8 | CVE-2020-37098 | ExploitDB-48048 Vendor Homepage VulnCheck Advisory: Disk Sorter Enterprise 12.4.16 - Unquoted Service Path |
| DiskSavvy--Disk Savvy Enterprise | Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe' to inject malicious executables and escalate privileges. | 2026-02-03 | 7.8 | CVE-2020-37099 | ExploitDB-48049 Vendor Homepage VulnCheck Advisory: Disk Savvy Enterprise 12.3.18 - 'disksvs.exe' Unquoted Service Path |
| SyncBreeze--Sync Breeze Enterprise | Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service startup process. | 2026-02-03 | 7.8 | CVE-2020-37100 | ExploitDB-48045 Vendor Homepage VulnCheck Advisory: Sync Breeze Enterprise 12.4.18 - Unquoted Service Path |
| Vpnunlimitedapp--VPN unlimited | VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\VPN Unlimited\' to replace the service executable and gain elevated system privileges. | 2026-02-03 | 7.8 | CVE-2020-37101 | ExploitDB-47916 VPN Unlimited Official Homepage VulnCheck Advisory: VPN unlimited 6.1 - Unquoted Service Path |
| Lavasoft--Web Companion | Adaware Web Companion 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-02-03 | 7.8 | CVE-2020-37102 | ExploitDB-47852 Vendor Homepage Software Download Link VulnCheck Advisory: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path |
| redmine--PMB | PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database. | 2026-02-03 | 7.1 | CVE-2020-37105 | ExploitDB-48356 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 5.6 - 'logid' SQL Injection |
| Core FTP--Core FTP LE | Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20,000 repeated characters and paste it into the account field to cause the application to become unresponsive and require reinstallation. | 2026-02-06 | 7.5 | CVE-2020-37107 | ExploitDB-48137 Core FTP Vendor Homepage Core FTP Download Page VulnCheck Advisory: Core FTP LE 2.2 - Denial of Service |
| AllHandsMarketing--PhpIX 2012 Professional | PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. | 2026-02-03 | 7.1 | CVE-2020-37108 | ExploitDB-48138 Vendor Homepage Demonstration Website VulnCheck Advisory: PhpIX 2012 Professional - 'id' SQL Injection |
| asc Applied Software Consultants--aSc TimeTables | aSc TimeTables 2020.11.4 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Subject title field with a large buffer. Attackers can generate a 1000-character buffer and paste it into the Subject title to trigger an application crash and potential instability. | 2026-02-06 | 7.5 | CVE-2020-37109 | ExploitDB-48133 Vendor Homepage VulnCheck Advisory: aSc TimeTables 2020.11.4 - Denial of Service |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques. | 2026-02-03 | 7.1 | CVE-2020-37112 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection |
| Nsauditor--FTP Password Recover | SpotFTP-FTP Password Recover 2.4.8 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a text file with 1000 'Z' characters and input it as a registration code to trigger the application crash. | 2026-02-06 | 7.5 | CVE-2020-37122 | ExploitDB-48132 Vendor Homepage Software Download Page VulnCheck Advisory: SpotFTP-FTP Password Recover 2.4.8 - Denial of Service |
| Nsauditor--Nsauditor | Nsauditor 3.2.0.0 contains a denial of service vulnerability in the registration name input field that allows attackers to crash the application. Attackers can create a malicious payload of 1000 bytes of repeated characters to trigger an application crash when pasted into the registration name field. | 2026-02-05 | 7.5 | CVE-2020-37130 | ExploitDB-48286 Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.0.0 - 'Name' Denial of Service |
| UltraVNC Team--UltraVNC Launcher | UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allows attackers to crash the application. Attackers can paste an overly long string of 300 characters into the Repeater Host property to trigger an application crash. | 2026-02-05 | 7.5 | CVE-2020-37133 | ExploitDB-48288 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service |
| UltraVNC Team--UltraVNC Viewer | UltraVNC Viewer 1.2.4.0 contains a denial of service vulnerability that allows attackers to crash the application by manipulating VNC Server input. Attackers can generate a malformed 256-byte payload and paste it into the VNC Server connection dialog to trigger an application crash. | 2026-02-05 | 7.5 | CVE-2020-37134 | ExploitDB-48291 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service |
| Amssplus--AMSS++ | AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system. | 2026-02-06 | 7.5 | CVE-2020-37135 | ExploitDB-48114 VulnCheck Advisory: AMSS++ 4.7 - Backdoor Admin Account |
| EmTec--ZOC Terminal | ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH key files. | 2026-02-05 | 7.5 | CVE-2020-37136 | ExploitDB-48292 Vendor Homepage VulnCheck Advisory: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service |
| GE Intelligent Platforms, Inc.--ProficySCADA for iOS | ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. Attackers can overwrite the password field with 257 bytes of repeated characters to trigger an application crash and prevent successful authentication. | 2026-02-05 | 7.5 | CVE-2020-37143 | ExploitDB-48236 Archived App Software VulnCheck Advisory: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service |
| ACE SECURITY--Aptina AR0130 960P 1.3MP Camera | ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /config_backup.bin endpoint, exposing credentials and system settings. | 2026-02-06 | 7.5 | CVE-2020-37146 | ExploitDB-48127 Vendor Homepage Product Support Page VulnCheck Advisory: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure |
| Atutor--ATutor | ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information. | 2026-02-06 | 7.1 | CVE-2020-37147 | ExploitDB-48117 ATutor Official Homepage VulnCheck Advisory: ATutor 2.2.4 - 'id' SQL Injection |
| EDIMAX Technology--EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication. | 2026-02-05 | 7.5 | CVE-2020-37150 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Unauthorized Access: Wi-Fi Password Disclosure |
| Tripath Project--eLection | eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor files to the web application directory. | 2026-02-06 | 7.1 | CVE-2020-37154 | ExploitDB-48122 eLection Project Vendor Homepage Researcher Exploit Disclosure VulnCheck Advisory: eLection 2.0 - 'id' SQL Injection |
| Core FTP--Core FTP Lite | Core FTP Lite 1.3 contains a buffer overflow vulnerability in the username input field that allows attackers to crash the application by supplying oversized input. Attackers can generate a 7000-byte payload of repeated 'A' characters to trigger an application crash without requiring additional interaction. | 2026-02-06 | 7.5 | CVE-2020-37155 | ExploitDB-48100 Core FTP Official Homepage VulnCheck Advisory: Core FTP Lite 1.3 - Denial of Service (PoC) |
| DBPower--DBPower C300 HD Camera | DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource. | 2026-02-06 | 7.5 | CVE-2020-37157 | ExploitDB-48095 Archived Researcher Blog VulnCheck Advisory: DBPower C300 HD Camera - Remote Configuration Disclosure |
| Innomic--VibroLine Configurator 5.0 | A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. | 2026-02-02 | 7.7 | CVE-2022-50976 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. | 2026-02-02 | 7.5 | CVE-2022-50977 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). | 2026-02-02 | 7.5 | CVE-2022-50978 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Talemy--Spirit Framework | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion. This issue affects Spirit Framework: from n/a through 1.2.13. | 2026-02-02 | 7.5 | CVE-2024-54263 | https://patchstack.com/database/wordpress/plugin/spirit-framework/vulnerability/wordpress-spirit-framework-plugin-1-2-13-local-file-inclusion-vulnerability?_s_id=cve |
| Zyxel--ATP series firmware | A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command. | 2026-02-05 | 7.2 | CVE-2025-11730 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | 2026-02-02 | 7.1 | CVE-2025-13096 | https://www.ibm.com/support/pages/node/7259321 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557 | 2026-02-06 | 7.7 | CVE-2025-13523 | MMSA-2025-00557 |
| IBM--WebSphere Application Server Liberty | IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. | 2026-02-02 | 7.6 | CVE-2025-14914 | https://www.ibm.com/support/pages/node/7258224 |
| infility--Infility Global | The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 7.5 | CVE-2025-15268 | https://www.wordfence.com/threat-intel/vulnerabilities/id/648941b8-d1ab-4587-bd87-f23008ac9a00?source=cve https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/db.class.php?marks=41#L41 https://plugins.trac.wordpress.org/browser/infility-global/trunk/infility_global.php?marks=626#L626 https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/str.class.php?marks=21#L21 |
| lupsonline--SEO Flow by LupsOnline | The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories. | 2026-02-04 | 7.5 | CVE-2025-15285 | https://www.wordfence.com/threat-intel/vulnerabilities/id/526837cc-ed1d-4d3d-8f75-a2098445dd1d?source=cve https://plugins.trac.wordpress.org/browser/lupsonline-link-netwerk/tags/2.2.1/includes/class-linknetwerk-api.php?marks=83-99,101-117#L83 |
| Tanium--Tanium Appliance | Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. | 2026-02-05 | 7.8 | CVE-2025-15311 | TAN-2025-002 |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue. | 2026-02-04 | 7.3 | CVE-2025-15555 | VDB-343795 | Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow VDB-343795 | CTI Indicators (IOB, IOC, IOA) Submit #741901 | Open5GS v2.7.6 Buffer Over-read https://github.com/open5gs/open5gs/issues/4177 https://github.com/open5gs/open5gs/issues/4177#event-21256395700 https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21 https://github.com/open5gs/open5gs/ |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently. | 2026-02-02 | 7.8 | CVE-2025-47358 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when multiple threads simultaneously access a memory free API. | 2026-02-02 | 7.8 | CVE-2025-47359 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input. | 2026-02-02 | 7.1 | CVE-2025-47366 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors. | 2026-02-02 | 7.8 | CVE-2025-47397 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers. | 2026-02-02 | 7.8 | CVE-2025-47398 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption while processing IOCTL call to update sensor property settings with invalid input parameters. | 2026-02-02 | 7.8 | CVE-2025-47399 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| n8n-io--n8n | n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3. | 2026-02-04 | 7.7 | CVE-2025-61917 | https://github.com/n8n-io/n8n/security/advisories/GHSA-49mx-fj45-q3p6 https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba |
| N/A--Moodle[.]org | A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated. | 2026-02-03 | 7.3 | CVE-2025-67849 | https://access.redhat.com/security/cve/CVE-2025-67849 RHBZ#2423835 |
| N/A--Moodle[.]org | A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions. | 2026-02-03 | 7.3 | CVE-2025-67850 | https://access.redhat.com/security/cve/CVE-2025-67850 RHBZ#2423838 |
| N/A--Moodle[.]org | A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts. | 2026-02-03 | 7.5 | CVE-2025-67853 | https://access.redhat.com/security/cve/CVE-2025-67853 RHBZ#2423847 |
| TriliumNext--Trilium | Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0. | 2026-02-06 | 7.4 | CVE-2025-68621 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x https://github.com/TriliumNext/Trilium/pull/8129 |
| Ofisimo Web-Based Software Technologies--Association Web Package Flora | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-7760 | https://www.usom.gov.tr/bildirim/tr-26-0015 |
| Kod8 Software Technologies Trade Ltd. Co.--Kod8 Individual and SME Website | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-8456 | https://www.usom.gov.tr/bildirim/tr-26-0012 |
| Seres Software--syWEB | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-8461 | https://www.usom.gov.tr/bildirim/tr-26-0013 |
| AKCE Software Technology R&D Industry and Trade Inc.--SKSPro | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026. | 2026-02-03 | 7.6 | CVE-2025-8589 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| AKCE Software Technology R&D Industry and Trade Inc.--SKSPro | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing. This issue affects SKSPro: through 07012026. | 2026-02-03 | 7.5 | CVE-2025-8590 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| Autodesk--3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0536 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0537 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0538 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history. | 2026-02-03 | 7.2 | CVE-2026-0617 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=cve https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.php#L27 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.php https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| Autodesk--USD for Arnold | A maliciously crafted USD file, when loaded or imported into Autodesk Arnold or Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0659 | https://www.autodesk.com/products/autodesk-access/overview https://github.com/Autodesk/arnold-usd https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0003 |
| Autodesk--3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0660 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0661 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk--3ds Max | A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized. | 2026-02-04 | 7.8 | CVE-2026-0662 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| 10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list. | 2026-02-03 | 7.1 | CVE-2026-1058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ec0027-2792-4069-b413-8fdd951f5fe7?source=cve https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/admin/views/Submissions_fm.php#L759 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail= |
| 10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. | 2026-02-03 | 7.2 | CVE-2026-1065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail= |
| bplugins--All In One Image Viewer Block Gutenberg block to create image viewer with hyperlink | The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-02-05 | 7.2 | CVE-2026-1294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7c3f7108-eb32-425a-a705-4f032e7da6b0?source=cve https://plugins.trac.wordpress.org/browser/image-viewer/tags/1.0.2/image-viewer-block.php#L10 https://plugins.trac.wordpress.org/changeset/3449642/image-viewer/tags/1.0.3/image-viewer-block.php?old=3405983&old_path=image-viewer%2Ftags%2F1.0.2%2Fimage-viewer-block.php |
| pgadmin.org--pgAdmin 4 | pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation. | 2026-02-05 | 7.4 | CVE-2026-1707 | https://github.com/pgadmin-org/pgadmin4/issues/9518 |
| EFM--ipTIME A8004T | A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 7.3 | CVE-2026-1740 | VDB-343639 | EFM ipTIME A8004T Hidden Hiddenloginsetup timepro.cgi httpcon_check_session_url improper authentication VDB-343639 | CTI Indicators (IOB, IOC, IOA) Submit #741422 | IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary Password Reset https://github.com/LX-LX88/cve/issues/27 |
| AWS--SageMaker Python SDK | The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked. | 2026-02-02 | 7.2 | CVE-2026-1777 | https://aws.amazon.com/security/security-bulletins/2026-004-AWS/ https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rjrp-m2jw-pv9c https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.2.0 https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0 |
| Ziroom--ZHOME A0101 | A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.3 | CVE-2026-1802 | VDB-343975 | Ziroom ZHOME A0101 zrMacClone.lua macAddrClone command injection VDB-343975 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741842 | https://sh.ziroom.com/ ZHOME A0101 Command Injection https://github.com/jinhao118/cve/blob/main/ziru_router_command_injection.md |
| itsourcecode--Student Management System | A vulnerability was found in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /ramonsys/enrollment/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-06 | 7.3 | CVE-2026-2011 | VDB-344593 | itsourcecode Student Management System controller.php sql injection VDB-344593 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743498 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/1 https://itsourcecode.com/ |
| Cisco--Cisco RoomOS Software | A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | 2026-02-04 | 7.5 | CVE-2026-20119 | cisco-sa-tce-roomos-dos-9V9jrC2q |
| itsourcecode--Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /ramonsys/facultyloading/index.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-06 | 7.3 | CVE-2026-2012 | VDB-344594 | itsourcecode Student Management System index.php sql injection VDB-344594 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743499 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/2 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. This affects an unknown function of the file /ramonsys/soa/index.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-02-06 | 7.3 | CVE-2026-2013 | VDB-344595 | itsourcecode Student Management System index.php sql injection VDB-344595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743500 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/3 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /ramonsys/billing/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-02-06 | 7.3 | CVE-2026-2014 | VDB-344596 | itsourcecode Student Management System index.php sql injection VDB-344596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744048 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/35 https://itsourcecode.com/ |
| itsourcecode--School Management System | A flaw has been found in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/settings/controller.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-06 | 7.3 | CVE-2026-2018 | VDB-344600 | itsourcecode School Management System controller.php sql injection VDB-344600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744075 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/36 https://itsourcecode.com/ |
| SourceCodester--Medical Center Portal Management System | A vulnerability was detected in SourceCodester Medical Center Portal Management System 1.0. This affects an unknown function of the file /login.php. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2026-02-06 | 7.3 | CVE-2026-2057 | VDB-344617 | SourceCodester Medical Center Portal Management System login.php sql injection VDB-344617 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744233 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection https://github.com/Roger-Adventures/CVE/issues/1 https://www.sourcecodester.com/ |
| mathurvishal--CloudClassroom-PHP-Project | A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 7.3 | CVE-2026-2058 | VDB-344618 | mathurvishal CloudClassroom-PHP-Project Post Query Details postquerypublic.php sql injection VDB-344618 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744236 | https://github.com/mathurvishal/CloudClassroom-PHP-Project CloudClassroom PHP Project 1.0 SQL Injection https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0 https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0#impact |
| SourceCodester--Medical Center Portal Management System | A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-02-06 | 7.3 | CVE-2026-2059 | VDB-344619 | SourceCodester Medical Center Portal Management System emp_edit1.php sql injection VDB-344619 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744261 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection https://github.com/Roger-Adventures/CVE/issues/2 https://www.sourcecodester.com/ |
| code-projects--Simple Blood Donor Management System | A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-02-06 | 7.3 | CVE-2026-2060 | VDB-344620 | code-projects Simple Blood Donor Management System editcampaignform.php sql injection VDB-344620 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744262 | code-projects Simple Blood Donor Management System V1.0 SQL Injection https://github.com/kyxh001/CVE/issues/1 https://code-projects.org/ |
| itsourcecode--School Management System | A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 7.3 | CVE-2026-2073 | VDB-344639 | itsourcecode School Management System index.php sql injection VDB-344639 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745482 | itsourcecode School Management System V1.0 SQL Injection https://github.com/Sherlocksbs/CVE/issues/1 https://itsourcecode.com/ |
| UTT--HiPER 810 | A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 7.2 | CVE-2026-2080 | VDB-344646 | UTT HiPER 810 formUser setSysAdm command injection VDB-344646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745521 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/README.md https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps |
| code-projects--Social Networking Site | A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-07 | 7.3 | CVE-2026-2083 | VDB-344650 | code-projects Social Networking Site delete_post.php sql injection VDB-344650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745937 | code-projects Social Networking Site V1.0 SQL Injection https://github.com/6Justdododo6/CVE/issues/1 https://code-projects.org/ |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-07 | 7.2 | CVE-2026-2084 | VDB-344651 | D-Link DIR-823X set_language os command injection VDB-344651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746379 | D-Link DIR 250416 OS Command Injection Submit #746380 | D-Link DIR-823X 250416 OS Command Injection (Duplicate) https://github.com/master-abc/cve/issues/24 https://www.dlink.com/ |
| D-Link--DWR-M921 | A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-02-07 | 7.2 | CVE-2026-2085 | VDB-344652 | D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection VDB-344652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746400 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/1 https://github.com/LX-66-LX/cve-new/issues/1#issue-3851345029 https://www.dlink.com/ |
| SourceCodester--Online Class Record System | A flaw has been found in SourceCodester Online Class Record System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. This manipulation of the argument user_email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-02-07 | 7.3 | CVE-2026-2087 | VDB-344654 | SourceCodester Online Class Record System login.php sql injection VDB-344654 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746510 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/1 https://www.sourcecodester.com/ |
| PHPGurukul--Beauty Parlour Management System | A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2088 | VDB-344655 | PHPGurukul Beauty Parlour Management System accepted-appointment.php sql injection VDB-344655 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746520 | PHPgurukul Beauty Parlour Management System V1.1 SQL Injection https://github.com/Shaon-Xis/cve/issues/1 https://phpgurukul.com/ |
| SourceCodester--Online Class Record System | A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-02-07 | 7.3 | CVE-2026-2089 | VDB-344656 | SourceCodester Online Class Record System controller.php sql injection VDB-344656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746550 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/2 https://www.sourcecodester.com/ |
| SourceCodester--Online Class Record System | A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 7.3 | CVE-2026-2090 | VDB-344657 | SourceCodester Online Class Record System search.php sql injection VDB-344657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746551 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/3 https://www.sourcecodester.com/ |
| Infor--SyteLine ERP | Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials. | 2026-02-06 | 7.1 | CVE-2026-2103 | https://blog.blacklanternsecurity.com/p/cve-2026-2103-infor-syteline-erp |
| yuan1994--tpadmin | A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-07 | 7.3 | CVE-2026-2113 | VDB-344688 | yuan1994 tpadmin WebUploader preview.php deserialization VDB-344688 | CTI Indicators (IOB, IOC, IOA) Submit #746795 | https://github.com/yuan1994/tpadmin cms v1.3 RCE https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2114 | VDB-344689 | itsourcecode Society Management System edit_admin.php sql injection VDB-344689 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746796 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/3 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-07 | 7.3 | CVE-2026-2115 | VDB-344690 | itsourcecode Society Management System delete_expenses.php sql injection VDB-344690 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746797 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/2 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/edit_expenses.php. Such manipulation of the argument expenses_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2116 | VDB-344691 | itsourcecode Society Management System edit_expenses.php sql injection VDB-344691 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746798 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/1 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-02-07 | 7.3 | CVE-2026-2117 | VDB-344692 | itsourcecode Society Management System edit_activity.php sql injection VDB-344692 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746884 | itsourcecode Society Management System V1.0 SQL injection https://github.com/ZooNJarway/CVE/issues/4 https://itsourcecode.com/ |
| UTT--HiPER 810 | A vulnerability was determined in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_4407D4 of the file /goform/formReleaseConnect of the component rehttpd. Executing a manipulation of the argument Isp_Name can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.2 | CVE-2026-2118 | VDB-344693 | UTT HiPER 810 rehttpd formReleaseConnect sub_4407D4 command injection VDB-344693 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746802 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md#poc |
| D-Link--DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of the argument terminal_addr/server_ip/server_port leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-02-08 | 7.2 | CVE-2026-2120 | VDB-344694 | D-Link DIR-823X Configuration Parameter set_server_settings os command injection VDB-344694 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746916 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/26 https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.2 | CVE-2026-2129 | VDB-344764 | D-Link DIR-823X set_ac_status os command injection VDB-344764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746935 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/23 https://www.dlink.com/ |
| code-projects--Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the argument txtcat results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2132 | VDB-344767 | code-projects Online Music Site AdminUpdateCategory.php sql injection VDB-344767 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747210 | code-projects ONLINE MUSIC SITE V1.0 SQL Injection https://github.com/Volije/AdminUpdateCategory/issues/1 https://code-projects.org/ |
| code-projects--Online Music Site | A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2133 | VDB-344768 | code-projects Online Music Site AdminUpdateCategory.php unrestricted upload VDB-344768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747213 | code-projects ONLINE MUSIC SITE V1.0 Arbitrary file upload vulnerability https://github.com/Volije/cve2/issues/1 https://code-projects.org/ |
| projectworlds--Online Food Ordering System | A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 7.3 | CVE-2026-2136 | VDB-344771 | projectworlds Online Food Ordering System view-ticket.php sql injection VDB-344771 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747230 | projectworlds Online Food Ordering System Project in PHP V1.0 SQL Injection https://github.com/hater-us/CVE/issues/4 |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420688 of the file /goform/set_qos. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2142 | VDB-344777 | D-Link DIR-823X set_qos sub_420688 os command injection VDB-344777 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747428 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/29 https://www.dlink.com/ |
| D-Link--DIR-823X | A security vulnerability has been detected in D-Link DIR-823X 250416. This issue affects some unknown processing of the file /goform/set_ddns of the component DDNS Service. The manipulation of the argument ddnsType/ddnsDomainName/ddnsUserName/ddnsPwd leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2143 | VDB-344778 | D-Link DIR-823X DDNS Service set_ddns os command injection VDB-344778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747492 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/25 https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 7.2 | CVE-2026-2151 | VDB-344853 | D-Link DIR-615 DMZ Host Feature adv_firewall.php os command injection VDB-344853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748031 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-OS-Command-Injection-2f6e5dd4c5a58053b2b4f166c2a503ba https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability was found in D-Link DIR-615 4.10. This vulnerability affects unknown code of the file adv_routing.php of the component Web Configuration Interface. Performing a manipulation of the argument dest_ip/ submask/ gw results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 7.2 | CVE-2026-2152 | VDB-344854 | D-Link DIR-615 Web Configuration adv_routing.php os command injection VDB-344854 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748032 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-routing-command-injection-2f6e5dd4c5a580089587f5e78a1bbf70?pvs=74 https://www.dlink.com/ |
| D-Link--DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. The affected element is the function sub_4208A0 of the file /goform/set_dmz of the component Configuration Handler. The manipulation of the argument dmz_host/dmz_enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2155 | VDB-344857 | D-Link DIR-823X Configuration set_dmz sub_4208A0 os command injection VDB-344857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748236 | D-Link DIR-823X 250416 OS Command Injection Submit #750038 | D-Link DIR-823X 250416 OS Command Injection (Duplicate) https://github.com/master-abc/cve/issues/32 https://www.dlink.com/ |
| D-Link--DIR-823X | A security vulnerability has been detected in D-Link DIR-823X 250416. This affects the function sub_4175CC of the file /goform/set_static_route_table. Such manipulation of the argument interface/destip/netmask/gateway/metric leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2157 | VDB-344859 | D-Link DIR-823X set_static_route_table sub_4175CC os command injection VDB-344859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748376 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/28 https://www.dlink.com/ |
| code-projects--Student Web Portal | A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /check_user.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. | 2026-02-08 | 7.3 | CVE-2026-2158 | VDB-344860 | code-projects Student Web Portal check_user.php sql injection VDB-344860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748816 | code-projects.org STUDENT WEB PORTAL IN PHP WITH SOURCE CODE 1.0 SQL Injection https://github.com/Qing-420/cve/blob/main/sql.md https://code-projects.org/ |
| itsourcecode--Directory Management System | A vulnerability was found in itsourcecode Directory Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/forget-password.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.3 | CVE-2026-2161 | VDB-344863 | itsourcecode Directory Management System forget-password.php sql injection VDB-344863 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751082 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/Wzl731/test/issues/1 https://itsourcecode.com/ |
| detronetdip--E-commerce | A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 7.3 | CVE-2026-2164 | VDB-344866 | detronetdip E-commerce addadhar.php unrestricted upload VDB-344866 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751853 | detronetdip E-commerce 1.0 Remote Code Execution https://github.com/detronetdip/E-commerce/issues/23 https://github.com/Nixon-H/PHP-Unrestricted-Upload-RCE https://github.com/detronetdip/E-commerce/ |
| detronetdip--E-commerce | A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 7.3 | CVE-2026-2165 | VDB-344867 | detronetdip E-commerce Account Creation Endpoint add_seller.php missing authentication VDB-344867 | CTI Indicators (IOB, IOC, IOA) Submit #751857 | detronetdip E-commerce 1.0 Access Control Violation https://github.com/detronetdip/E-commerce/issues/23 https://github.com/Nixon-H/Unauthenticated-Admin-Account-Creation https://github.com/detronetdip/E-commerce/ |
| code-projects--Online Reviewer System | A security vulnerability has been detected in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /login/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.3 | CVE-2026-2166 | VDB-344868 | code-projects Online Reviewer System Login index.php sql injection VDB-344868 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751858 | code-projects OnlineReviewerSystem 1.0 SQL Injection Submit #750018 | code-projects ONLINE REVIEWER SYSTEM V1.0 SQL Injection (Duplicate) https://github.com/liaoliao-hla/cve/issues/2 https://code-projects.org/ |
| code-projects--Online Student Management System | A vulnerability was found in code-projects Online Student Management System 1.0. Affected is an unknown function of the file accounts.php of the component Login. Performing a manipulation of the argument username/password results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.3 | CVE-2026-2171 | VDB-344872 | code-projects Online Student Management System Login accounts.php sql injection VDB-344872 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749233 | code-projects Online Student Management System in PHP unknown SQL Injection https://code-projects.org/ |
| code-projects--Online Application System for Admission | A vulnerability was determined in code-projects Online Application System for Admission 1.0. Affected by this vulnerability is an unknown functionality of the file enrollment/index.php of the component Login Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.3 | CVE-2026-2172 | VDB-344873 | code-projects Online Application System for Admission Login Endpoint index.php sql injection VDB-344873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749253 | code-projects Online Application System for Admission in PHP unknown SQL Injection https://code-projects.org/ |
| code-projects--Online Examination System | A vulnerability was identified in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. | 2026-02-08 | 7.3 | CVE-2026-2173 | VDB-344874 | code-projects Online Examination System login.php sql injection VDB-344874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749255 | code-projects Online Examination System in PHP unknown sql https://code-projects.org/ |
| code-projects--Contact Management System | A security flaw has been discovered in code-projects Contact Management System 1.0. This affects an unknown part of the component CRUD Endpoint. The manipulation of the argument ID results in improper authentication. The attack may be launched remotely. | 2026-02-08 | 7.3 | CVE-2026-2174 | VDB-344875 | code-projects Contact Management System CRUD Endpoint improper authentication VDB-344875 | CTI Indicators (IOB, IOC, IOA) Submit #749262 | code-projects Contact Management System in PHP unknown Authentication Bypass Issues https://code-projects.org/ |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420618 of the file /goform/set_upnp. This manipulation of the argument upnp_enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2175 | VDB-344876 | D-Link DIR-823X set_upnp sub_420618 os command injection VDB-344876 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749263 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/31 https://www.dlink.com/ |
| SourceCodester--Prison Management System | A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 7.3 | CVE-2026-2177 | VDB-344880 | SourceCodester Prison Management System Login session fixiation VDB-344880 | CTI Indicators (IOB, IOC) Submit #749485 | SourceCodester Prison Management System Using PHP V1.0 Session Fixiation https://github.com/hater-us/CVE/issues/10 https://www.sourcecodester.com/ |
| UTT-- 521G | A weakness has been identified in UTT 进取 521G 3.1.1-190816. Affected by this issue is the function doSystem of the file /goform/setSysAdm. Executing a manipulation of the argument passwd1 can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2182 | VDB-344885 | UTT 进取 521G setSysAdm doSystem command injection VDB-344885 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749712 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md#poc |
| Great Developers--Certificate Generation System | A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This vulnerability affects unknown code of the file /restructured/csv.php. The manipulation of the argument photo results in os command injection. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The code repository of the project has not been active for many years. | 2026-02-08 | 7.3 | CVE-2026-2184 | VDB-344887 | Great Developers Certificate Generation System csv.php os command injection VDB-344887 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749714 | Great Developers Certificate Generator System 1.0 Improper Neutralization of Special Elements https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate2.md |
| UTT-- 521G | A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.2 | CVE-2026-2188 | VDB-344891 | UTT 进取 521G formPdbUpConfig sub_446B18 os command injection VDB-344891 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749733 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection https://github.com/cha0yang1/UTT521G/blob/main/RCE2.md |
| itsourcecode--School Management System | A vulnerability was identified in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/report/index.php. The manipulation of the argument ay leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-02-08 | 7.3 | CVE-2026-2189 | VDB-344892 | itsourcecode School Management System index.php sql injection VDB-344892 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749746 | itsourcecode School Management System V1.0 SQL Injection https://github.com/angtas/cve/issues/1 https://itsourcecode.com/ |
| itsourcecode--School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/user/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2190 | VDB-344893 | itsourcecode School Management System controller.php sql injection VDB-344893 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749783 | itsourcecode School Management System V1.0 SQL Injection https://github.com/yyue02/cve/issues/2 https://itsourcecode.com/ |
| Tenda--AC9 | A weakness has been identified in Tenda AC9 15.03.06.42_multi. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2191 | VDB-344894 | Tenda AC9 formGetDdosDefenceList stack-based overflow VDB-344894 | CTI Indicators (IOB, IOC, IOA) Submit #749800 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda3.md https://www.tenda.com.cn/ |
| Tenda--AC9 | A security vulnerability has been detected in Tenda AC9 15.03.06.42_multi. Affected by this vulnerability is the function formGetRebootTimer. Such manipulation of the argument sys.schedulereboot.start_time/sys.schedulereboot.end_time leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2192 | VDB-344895 | Tenda AC9 formGetRebootTimer stack-based overflow VDB-344895 | CTI Indicators (IOB, IOC, IOA) Submit #749801 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda4.md https://www.tenda.com.cn/ |
| code-projects--Online Reviewer System | A vulnerability has been found in code-projects Online Reviewer System 1.0. This vulnerability affects unknown code of the file /system/system/admins/assessments/pretest/questions-view.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 7.3 | CVE-2026-2195 | VDB-344898 | code-projects Online Reviewer System questions-view.php sql injection VDB-344898 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #750005 | code-projects Online Reviewer System V1 SQL Injection https://github.com/tiancesec/CVE/issues/16 https://code-projects.org/ |
| TeamViewer--Remote | Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with "Allow after confirmation" configuration in a remote session. An exploit could result in unauthorized access prior to local confirmation. The user needs to be authenticated for the remote session via ID/password, Session Link, or Easy Access as a prerequisite to exploit this vulnerability. | 2026-02-05 | 7.2 | CVE-2026-23572 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1003/ |
| apollographql--apollo-server | Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer. | 2026-02-04 | 7.5 | CVE-2026-23897 | https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7 https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643 https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4 |
| open-telemetry--opentelemetry-go | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0. | 2026-02-02 | 7 | CVE-2026-24051 | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53 |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | 2026-02-03 | 7.8 | CVE-2026-24149 | NVD Mitre |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2. | 2026-02-03 | 7.8 | CVE-2026-24669 | https://github.com/gunet/openeclass/security/advisories/GHSA-gcqq-fxw6-f866 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2. | 2026-02-03 | 7.3 | CVE-2026-24672 | https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2. | 2026-02-03 | 7.5 | CVE-2026-24773 | https://github.com/gunet/openeclass/security/advisories/GHSA-63pm-pff4-xc9c |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3. | 2026-02-04 | 7.8 | CVE-2026-24844 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2 https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8 |
| Huawei--HarmonyOS | Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 7.3 | CVE-2026-24925 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1. | 2026-02-04 | 7.5 | CVE-2026-25121 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1. | 2026-02-04 | 7.5 | CVE-2026-25140 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6 https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3. | 2026-02-04 | 7.8 | CVE-2026-25143 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030 |
| openclaw--openclaw | OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29. | 2026-02-04 | 7.8 | CVE-2026-25157 | https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585 |
| fastify--fastify | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2. | 2026-02-03 | 7.5 | CVE-2026-25223 | https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821 https://hackerone.com/reports/3464114 https://fastify.dev/docs/latest/Reference/Validation-and-Serialization https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125 https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2. | 2026-02-03 | 7.8 | CVE-2026-25502 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c2qq-jf7w-rm27 https://github.com/InternationalColorConsortium/iccDEV/issues/537 https://github.com/InternationalColorConsortium/iccDEV/pull/545 https://github.com/InternationalColorConsortium/iccDEV/commit/be5d7ec5cc137c084c08006aee8cd3ed378c7ac2 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2. | 2026-02-03 | 7.1 | CVE-2026-25503 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pf84-4c7q-x764 https://github.com/InternationalColorConsortium/iccDEV/issues/539 https://github.com/InternationalColorConsortium/iccDEV/pull/547 https://github.com/InternationalColorConsortium/iccDEV/commit/353e6517a31cb6ac9fdd44ac0103bc2fadb25175 |
| modelcontextprotocol--typescript-sdk | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0. | 2026-02-04 | 7.1 | CVE-2026-25536 | https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7 https://github.com/modelcontextprotocol/typescript-sdk/issues/204 https://github.com/modelcontextprotocol/typescript-sdk/issues/243 |
| Coding-Solo--godot-mcp | Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1. | 2026-02-04 | 7.8 | CVE-2026-25546 | https://github.com/Coding-Solo/godot-mcp/security/advisories/GHSA-8jx2-rhfh-q928 https://github.com/Coding-Solo/godot-mcp/issues/64 https://github.com/Coding-Solo/godot-mcp/pull/67 https://github.com/Coding-Solo/godot-mcp/commit/21c785d923cfdb471ea60323c13807d62dfecc5a |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25582 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-46hq-fphp-jggf https://github.com/InternationalColorConsortium/iccDEV/issues/559 https://github.com/InternationalColorConsortium/iccDEV/pull/561 https://github.com/InternationalColorConsortium/iccDEV/commit/b5e5dd238f609ec1a4efb25674e7fa4bd29d894a |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow vulnerability in CIccFileIO::Read8() when processing malformed ICC profile files via unchecked fread operation. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25583 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5ffg-r52h-fgw3 https://github.com/InternationalColorConsortium/iccDEV/issues/558 https://github.com/InternationalColorConsortium/iccDEV/pull/562 https://github.com/InternationalColorConsortium/iccDEV/commit/8a6df2d8dac1e971a18be66fa36e3a0d6584f919 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a stack-buffer-overflow vulnerability in CIccTagFloatNum<>::GetValues(). This is triggered when processing a malformed ICC profile. The vulnerability allows an out-of-bounds write on the stack, potentially leading to memory corruption, information disclosure, or code execution when processing specially crafted ICC files. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25584 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xjr3-v3vr-5794 https://github.com/InternationalColorConsortium/iccDEV/issues/551 https://github.com/InternationalColorConsortium/iccDEV/pull/565 https://github.com/InternationalColorConsortium/iccDEV/commit/c9cb108f58683bd87afca616dea3e4cdb884c23f |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25585 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmqx-q624-jg6w https://github.com/InternationalColorConsortium/iccDEV/issues/552 https://github.com/InternationalColorConsortium/iccDEV/pull/563 https://github.com/InternationalColorConsortium/iccDEV/commit/ba81cd94b9c82b1d3905d45427badbd9d8adfa15 |
| Blesta--Blesta | Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | 2026-02-03 | 7.5 | CVE-2026-25614 | https://www.blesta.com/2026/01/28/security-advisory/ |
| Blesta--Blesta | Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | 2026-02-03 | 7.2 | CVE-2026-25615 | https://www.blesta.com/2026/01/28/security-advisory/ |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4. | 2026-02-06 | 7.8 | CVE-2026-25634 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h https://github.com/InternationalColorConsortium/iccDEV/issues/577 https://github.com/InternationalColorConsortium/iccDEV/pull/579 https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4 |
| pydantic--pydantic-ai | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0. | 2026-02-06 | 7.1 | CVE-2026-25640 | https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7 https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0 |
| datahub-project--datahub | DataHub is an open-source metadata platform. Prior to version 1.3.1.8, the LDAP ingestion source is vulnerable to MITM attack through TLS downgrade. This issue has been patched in version 1.3.1.8. | 2026-02-06 | 7.5 | CVE-2026-25644 | https://github.com/datahub-project/datahub/security/advisories/GHSA-j34h-x7qg-4qw5 |
| kovidgoyal--calibre | calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 7.8 | CVE-2026-25731 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0. | 2026-02-06 | 7.5 | CVE-2026-25732 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115 https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82 |
| adonisjs--core | AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | 2026-02-06 | 7.2 | CVE-2026-25754 | https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 |
| adonisjs--core | AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | 2026-02-06 | 7.5 | CVE-2026-25762 | https://github.com/adonisjs/core/security/advisories/GHSA-xx9g-fh25-4q64 https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Sweethawk--Zendesk App SweetHawk Survey | Zendesk SweetHawk Survey 1.6 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through support ticket submissions. Attackers can insert XSS payloads like script tags into ticket text that automatically execute when survey pages are loaded by other users. | 2026-02-03 | 6.4 | CVE-2019-25263 | ExploitDB-47781 SweetHawk Survey App Vendor Homepage Zendesk Survey App Software Page VulnCheck Advisory: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting |
| Snipeitapp--IT Open Source Asset Management | Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users. | 2026-02-03 | 6.4 | CVE-2019-25264 | ExploitDB-47756 Official Vendor Homepage Snipe-IT Software Release v4.7.5 VulnCheck Advisory: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting |
| Bigprof--Online Inventory Manager | Online Inventory Manager 3.2 contains a stored cross-site scripting vulnerability in the group description field of the admin edit groups section. Attackers can inject malicious JavaScript through the description field that will execute when the groups page is viewed, allowing potential cookie theft and client-side script execution. | 2026-02-03 | 6.4 | CVE-2019-25265 | ExploitDB-47725 Vendor Homepage Software Download Page VulnCheck Advisory: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting |
| lolypop55--html5_snmp | html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victim browsers when the page is loaded. | 2026-02-06 | 6.4 | CVE-2019-25294 | ExploitDB-47587 Vendor Homepage VulnCheck Advisory: html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting |
| thrsrossi--Millhouse Project | Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments with embedded JavaScript through the 'content' parameter in add_comment_sql.php to execute arbitrary scripts in victim browsers. | 2026-02-06 | 6.4 | CVE-2019-25301 | ExploitDB-47583 Vendor Homepage VulnCheck Advisory: thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting |
| Twinkle Toes Software--Booked Scheduler | Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploit the vulnerable 'tn' parameter to read files outside the intended directory by manipulating directory path traversal techniques. | 2026-02-03 | 6.5 | CVE-2020-37077 | ExploitDB-48428 Booked Scheduler Official Website Archived Booked Scheduler SourceForge Page VulnCheck Advisory: Booked Scheduler 2.7.7 - Authenticated Directory Traversal |
| Rubikon Teknoloji--Easy Transfer | Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download sensitive system files and inject malicious scripts into application parameters. | 2026-02-03 | 6.2 | CVE-2020-37086 | ExploitDB-48395 Vulnerability-Lab Advisory Official App Store Product Page VulnCheck Advisory: Easy Transfer 1.7 for iOS - Directory Traversal |
| Dnnsoftware--DotNetNuke | DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks. | 2026-02-03 | 6.4 | CVE-2020-37103 | ExploitDB-48124 DotNetNuke Official Vendor Homepage Vulnerability Analysis Blog Post VulnCheck Advisory: DotNetNuke 9.5 - Persistent Cross-Site Scripting |
| Davidvg--60CycleCMS | 60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browsers. This issue does not involve SQL injection. | 2026-02-03 | 6.1 | CVE-2020-37111 | ExploitDB-48177 Vendor Homepage Software Download Link VulnCheck Advisory: 60CycleCMS 2.5.2 - 'news.php' Cross-site Scripting (XSS) Vulnerability |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access. | 2026-02-03 | 6.5 | CVE-2020-37115 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - Plaintext Password Storage |
| EmTec--ZOC Terminal | ZOC Terminal 7.25.5 contains a script processing vulnerability that allows local attackers to crash the application by loading a maliciously crafted REXX script file. Attackers can generate an oversized script with 20,000 repeated characters to trigger an application crash and cause a denial of service. | 2026-02-05 | 6.2 | CVE-2020-37128 | ExploitDB-48302 Vendor Homepage VulnCheck Advisory: ZOC Terminal 7.25.5 - 'Script' Denial of Service |
| Nsauditor--Product Key Explorer | Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the 'Key' input field to trigger the application crash. | 2026-02-05 | 6.2 | CVE-2020-37131 | ExploitDB-48284 Vendor Homepage VulnCheck Advisory: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service |
| UltraVNC Team--UltraVNC Launcher | UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allows local attackers to crash the application. Attackers can paste an overly long 300-character string into the password field to trigger an application crash and prevent normal launcher functionality. | 2026-02-05 | 6.2 | CVE-2020-37132 | ExploitDB-48290 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service |
| PHP Fusion--PHP Fusion | PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code. | 2026-02-05 | 6.1 | CVE-2020-37137 | ExploitDB-48278 PHP Fusion Official Website VulnCheck Advisory: PHP-Fusion 9.03.50 - 'panels.php' Eval Injection |
| Veridium--SprintWork | SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access. | 2026-02-06 | 6.2 | CVE-2020-37160 | ExploitDB-48070 Vendor Homepage Product Information Page VulnCheck Advisory: SprintWork 2.3.1 - Local Privilege Escalation |
| Celestial Software--AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license entry field to trigger an application crash. | 2026-02-06 | 6.2 | CVE-2020-37164 | ExploitDB-48005 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 - "license entry" Denial of Service |
| Celestial Software--AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license name field to trigger an application crash. | 2026-02-06 | 6.2 | CVE-2020-37165 | ExploitDB-48006 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 - "license name" Denial of Service |
| Celestial Software--AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability in the SSH2 username input field that allows local attackers to crash the application. Attackers can overwrite the username field with a 1000-byte buffer, causing the application to become unresponsive and terminate. | 2026-02-06 | 6.2 | CVE-2020-37166 | ExploitDB-48010 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service |
| Raimersoft--TapinRadio | TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy address configuration that allows local attackers to crash the application. Attackers can overwrite the address field with 3000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. | 2026-02-06 | 6.2 | CVE-2020-37170 | ExploitDB-48011 TapinRadio Product Webpage VulnCheck Advisory: TapinRadio 2.12.3 - 'address' Denial of Service |
| Raimersoft--TapinRadio | TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy username configuration that allows local attackers to crash the application. Attackers can overwrite the username field with 10,000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. | 2026-02-06 | 6.2 | CVE-2020-37171 | ExploitDB-48013 TapinRadio Product Webpage VulnCheck Advisory: TapinRadio 2.12.3 - 'username' Denial of Service |
| Innomic--VibroLine VLX1 HD 5.0 | An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). | 2026-02-02 | 6.5 | CVE-2022-50979 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic--VibroLine VLX1 HD 5.0 | A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. | 2026-02-02 | 6.5 | CVE-2022-50980 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | 2026-02-04 | 6.3 | CVE-2024-43181 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | 2026-02-04 | 6.5 | CVE-2024-51451 | https://www.ibm.com/support/pages/node/7257006 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-12159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f492dcb6-0aa7-476d-bb85-c81a136d02a6?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_raw_content/bt_bb_raw_content.php#L25 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-12803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-13463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/865ff4bf-608e-45f0-a160-35581b82cc2b?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.php#L46 https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.js#L8 |
| IBM--webMethods Integration (on prem) - Integration Server | IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses. | 2026-02-05 | 6.5 | CVE-2025-14150 | https://www.ibm.com/support/pages/node/7259518 |
| Docker Inc.--Docker Desktop | Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. The installer creates this directory without proper ownership verification, creating two exploitation scenarios: Scenario 1 (Persistent Attack): If a low-privileged attacker pre-creates C:\ProgramData\DockerDesktop before Docker Desktop installation, the attacker retains ownership of the directory even after the installer applies restrictive ACLs. At any time after installation completes, the attacker can modify the directory ACL (as the owner) and tamper with critical configuration files such as install-settings.json to specify a malicious credentialHelper, causing arbitrary code execution when any user runs Docker Desktop. Scenario 2 (TOCTOU Attack): During installation, there is a time-of-check-time-of-use (TOCTOU) race condition between when the installer creates C:\ProgramData\DockerDesktop and when it sets secure ACLs. A low-privileged attacker actively monitoring for the installation can inject malicious files (such as install-settings.json) with attacker-controlled ACLs during this window, achieving the same code execution outcome. | 2026-02-04 | 6.7 | CVE-2025-14740 | https://docs.docker.com/security/ https://www.zerodayinitiative.com/advisories/ZDI-CAN-28542/ https://www.zerodayinitiative.com/advisories/ZDI-CAN-28190/ |
| lwsdevelopers--MyRewards Loyalty Points and Rewards for WooCommerce Reward orders, referrals, product reviews and more | The MyRewards - Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values. | 2026-02-04 | 6.5 | CVE-2025-15260 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2591f473-44ff-4319-8b17-b0f793a29d66?source=cve https://plugins.trac.wordpress.org/browser/woorewards/tags/5.6.0/assets/lws-adminpanel/include/internal/editlistcontroler.php#L76 |
| boldthemes--Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-15267 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38a3b3bf-9538-4ae8-9da4-d4b48805763b?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.7/content_elements/bt_bb_accordion_item/bt_bb_accordion_item.php?marks=28#L28 |
| Tanium--Tanium Appliance | Tanium addressed an improper output sanitization vulnerability in Tanium Appliance. | 2026-02-05 | 6.6 | CVE-2025-15312 | TAN-2025-003 |
| Tanium--Engage | Tanium addressed a documentation issue in Engage. | 2026-02-05 | 6.6 | CVE-2025-15324 | TAN-2025-004 |
| Tanium--Discover | Tanium addressed an improper input validation vulnerability in Discover. | 2026-02-05 | 6.3 | CVE-2025-15325 | TAN-2025-005 |
| Tanium--Performance | Tanium addressed an incorrect default permissions vulnerability in Performance. | 2026-02-05 | 6.5 | CVE-2025-15336 | TAN-2025-029 |
| Tanium--Patch | Tanium addressed an incorrect default permissions vulnerability in Patch. | 2026-02-05 | 6.5 | CVE-2025-15337 | TAN-2025-029 |
| Tanium--Partner Integration | Tanium addressed an incorrect default permissions vulnerability in Partner Integration. | 2026-02-05 | 6.5 | CVE-2025-15338 | TAN-2025-029 |
| Tanium--Discover | Tanium addressed an incorrect default permissions vulnerability in Discover. | 2026-02-05 | 6.5 | CVE-2025-15339 | TAN-2025-029 |
| Tanium--Comply | Tanium addressed an incorrect default permissions vulnerability in Comply. | 2026-02-05 | 6.5 | CVE-2025-15340 | TAN-2025-029 |
| Tanium--Benchmark | Tanium addressed an incorrect default permissions vulnerability in Benchmark. | 2026-02-05 | 6.5 | CVE-2025-15341 | TAN-2025-029 |
| Tanium--Enforce | Tanium addressed an incorrect default permissions vulnerability in Enforce. | 2026-02-05 | 6.5 | CVE-2025-15343 | TAN-2025-032 |
| simonfairbairn--The Bucketlister | The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-07 | 6.5 | CVE-2025-15477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fba36ebc-a396-4eb8-8cb6-afc50b9c974e?source=cve https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L19 |
| HCLSoftware--HCL DevOps Velocity | Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability is fixed in 5.1.7. | 2026-02-07 | 6.8 | CVE-2025-31990 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128585 |
| IBM--PowerVM Hypervisor | IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 could allow a local user with administration privileges to obtain sensitive information from a Virtual TPM through a series of PowerVM service procedures. | 2026-02-02 | 6 | CVE-2025-36238 | https://www.ibm.com/support/pages/node/7257556 |
| IBM--Cloud Pak for Business Automation | IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-02 | 6.4 | CVE-2025-36436 | https://www.ibm.com/support/pages/node/7259318 |
| Qualcomm, Inc.--Snapdragon | Memory corruption when calculating oversized partition sizes without proper checks. | 2026-02-02 | 6.8 | CVE-2025-47363 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while calculating offset from partition start point. | 2026-02-02 | 6.8 | CVE-2025-47364 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing a received frame with an excessively large authentication information element. | 2026-02-02 | 6.5 | CVE-2025-47402 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| N/A--Moodle[.]org | A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet. | 2026-02-03 | 6.1 | CVE-2025-67851 | https://access.redhat.com/security/cve/CVE-2025-67851 RHBZ#2423841 https://moodle.org/mod/forum/discuss.php?d=471301 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7. | 2026-02-04 | 6.5 | CVE-2025-68699 | https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b |
| Microsoft--Microsoft Edge (Chromium-based) | User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. | 2026-02-05 | 6.5 | CVE-2026-0391 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| premmerce--Premmerce | The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the Premmerce Wizard admin page). | 2026-02-07 | 6.4 | CVE-2026-0555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90b2a644-19a0-43a1-8ff6-7486d7ef29b3?source=cve https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Admin.php?marks=41#L41 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Handlers/WizardHandler.php?marks=42,50,52#L42 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Api/WizardApi.php?marks=38#L38 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/views/admin/tabs/wizard.php?marks=30#L30 |
| webpurify--WebPurify Profanity Filter | The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings. | 2026-02-04 | 6.5 | CVE-2026-0572 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92 |
| zealopensource--Smart Appointment & Booking | The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-04 | 6.4 | CVE-2026-0742 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bf332c0d-5481-412d-b44a-b3de346d7b60?source=cve https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php#L1203 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/admin/class.saab.admin.action.php#L1203 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2189 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/front/class.saab.front.action.php#L2189 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450387%40smart-appointment-booking&new=3450387%40smart-appointment-booking&sfp_email=&sfph_mail= |
| catchthemes--Essential Widgets | The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 3.0. | 2026-02-05 | 6.4 | CVE-2026-0867 | https://www.wordfence.com/threat-intel/vulnerabilities/id/08d4ed49-1338-422f-b55f-a102f2d1d6c8?source=cve https://plugins.trac.wordpress.org/changeset/3440541/essential-widgets https://plugins.trac.wordpress.org/changeset/3447282/essential-widgets |
| thehappymonster--Happy Addons for Elementor | The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 6.4 | CVE-2026-1210 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df4b554a-0336-404c-b06c-2bc98c99997d?source=cve https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/changeset/3451894/happy-elementor-addons/trunk/widgets/svg-draw/widget.php?old=3312461&old_path=happy-elementor-addons%2Ftrunk%2Fwidgets%2Fsvg-draw%2Fwidget.php |
| jackdewey--Events Listing Widget | The Events Listing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Event URL' parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1252 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3b13a5-0711-4ad3-b11c-f8556e1ca9f9?source=cve https://plugins.trac.wordpress.org/browser/events-listing-widget/trunk/events-listing-widget.php#L266 https://plugins.trac.wordpress.org/browser/events-listing-widget/tags/1.3.4/events-listing-widget.php#L266 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451446%40events-listing-widget&new=3451446%40events-listing-widget&sfp_email=&sfph_mail= |
| brechtvds--Dynamic Widget Content | The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-05 | 6.4 | CVE-2026-1268 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64 https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444655%40dynamic-widget-content&new=3444655%40dynamic-widget-content&sfp_email=&sfph_mail= |
| cyberlord92--Employee Directory Staff Directory and Listing | The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_title' parameter in the `search_employee_directory` shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1279 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0d3b54c-6244-4776-be3c-afe3a28a2b8a?source=cve https://plugins.trac.wordpress.org/browser/employee-staff-directory/trunk/handler/mo-empdir-search_handler.php#L29 https://wordpress.org/plugins/employee-staff-directory https://plugins.trac.wordpress.org/browser/employee-staff-directory/tags/1.2.1/handler/mo-empdir-search_handler.php#L29 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448620%40employee-staff-directory&new=3448620%40employee-staff-directory |
| yoast--Yoast SEO Advanced SEO with real-time guidance and built-in AI | The Yoast SEO - Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1293 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49 https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915 https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188 |
| themeisle--Robin Image Optimizer Unlimited Image Optimization & WebP Converter | The Robin Image Optimizer - Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-05 | 6.4 | CVE-2026-1319 | https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php |
| jackdewey--Tune Library | The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode. | 2026-02-06 | 6.4 | CVE-2026-1401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail= |
| dannycarlton--Simple Bible Verse via Shortcode | The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `verse` shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1570 | https://www.wordfence.com/threat-intel/vulnerabilities/id/098b979f-337d-4fbd-bfcc-0e8a281e6982?source=cve https://plugins.trac.wordpress.org/browser/simple-bible-verse-via-shortcode/trunk/index.php#L40 |
| omi-mexico--OMIGO | The OMIGO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `omigo_donate_button` shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1573 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2cf46e6-a732-45c4-ad18-607009d7a586?source=cve https://plugins.trac.wordpress.org/browser/omigo/trunk/omigo.php?rev=2778497#L386 |
| Foxit Software Inc.--pdfonline.foxit.com | Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03. | 2026-02-03 | 6.3 | CVE-2026-1591 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the Create New Layer feature. Unsanitized user input is embedded into the HTML output, allowing arbitrary JavaScript execution when the layer is referenced. This issue affects pdfonline.foxit.com: before 2026‑02‑03. | 2026-02-03 | 6.3 | CVE-2026-1592 | https://www.foxit.com/support/security-bulletins.html |
| tigor4eg--Video Onclick | The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `youtube` shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/73ddf729-da69-4d0b-866f-34a92ec72800?source=cve https://plugins.trac.wordpress.org/browser/video-onclick/tags/0.4.7/video-onclick.php#L109 |
| jmrukkers--Wikiloops Track Player | The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wikiloops` shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1611 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb472bdb-de35-45e4-bcea-04f27d425817?source=cve https://plugins.trac.wordpress.org/browser/wikiloops-track-player/tags/1.0.1/Wikiloops-Track-Player.php#L19 |
| mrlister1--Wonka Slide | The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `list_class` shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15f0211-724d-45b5-bf2f-7482f77c474d?source=cve https://plugins.trac.wordpress.org/browser/wonka-slide/trunk/admin/class-wonka-slide-build.php#L65 |
| alexdtn--Subitem AL Slider | The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-07 | 6.1 | CVE-2026-1634 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve https://wordpress.org/plugins/subitem-al-slider/ https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11 https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11 |
| ariagle--MP-Ukagaka | The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-07 | 6.1 | CVE-2026-1643 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14c3b53c-ba98-4e93-ba65-6da11816d7a6?source=cve https://wordpress.org/plugins/mp-ukagaka/ https://plugins.trac.wordpress.org/browser/mp-ukagaka/trunk/options.php#L160 https://plugins.trac.wordpress.org/browser/mp-ukagaka/tags/1.5.2/options.php#L160 |
| pkthree--Peters Date Countdown | The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-05 | 6.1 | CVE-2026-1654 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f8e436-2679-4ecb-831e-2b22dd99be32?source=cve https://plugins.trac.wordpress.org/browser/peters-date-countdown/tags/2.0.0/datecountdown.php#L246 https://plugins.trac.wordpress.org/changeset/3450122/ |
| EFM--ipTIME A8004T | A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpcon_check_session_url of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 6.6 | CVE-2026-1741 | VDB-343640 | EFM ipTIME A8004T Debug d.cgi httpcon_check_session_url backdoor VDB-343640 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741423 | EFM IPTIME A8004T 14.18.2 Command Injection https://github.com/LX-LX88/cve/issues/28 |
| n/a--JeecgBoot | A vulnerability was identified in JeecgBoot 3.9.0. This vulnerability affects unknown code of the file /JeecgBoot/sys/api/loadDictItemByKeyword of the component Online Report API. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 6.3 | CVE-2026-1746 | VDB-343677 | JeecgBoot Online Report API loadDictItemByKeyword sql injection VDB-343677 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741647 | Beijing Guoju Information Technology Co., Ltd JeecgBoot 3.9.0 SQL Injection https://www.yuque.com/meizhiyuwai/sks4nu/clircmda9b8q66lo?singleDoc |
| themeisle--Menu Icons by ThemeIsle | The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wp_attachment_image_alt' post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 6.4 | CVE-2026-1755 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497 https://plugins.trac.wordpress.org/changeset/3452685/menu-icons |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system. | 2026-02-02 | 6.2 | CVE-2026-1757 | https://access.redhat.com/security/cve/CVE-2026-1757 RHBZ#2435940 |
| ravanh--Orange Comfort+ accessibility toolbar for WordPress | The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89cb81c3-25d7-4a4e-beed-558ea8ce721d?source=cve https://plugins.trac.wordpress.org/browser/orange-confort-plus/trunk/inc/class-shortcode.php#L50 https://plugins.trac.wordpress.org/browser/orange-confort-plus/tags/0.7/inc/class-shortcode.php#L50 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3453313%40orange-confort-plus&new=3453313%40orange-confort-plus&sfp_email=&sfph_mail= |
| bolo-blog--bolo-solo | A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulation of the argument File results in path traversal. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1810 | VDB-343978 | bolo-blog bolo-solo ZIP File BackupService.java unpackFilteredZip path traversal VDB-343978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742422 | https://github.com/bolo-blog/bolo-solo/ bolo-solo V2.6.4 Write any file https://github.com/bolo-blog/bolo-solo/issues/326 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog--bolo-solo | A flaw has been found in bolo-blog bolo-solo up to 2.6.4. This affects the function importFromMarkdown of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1811 | VDB-343979 | bolo-blog bolo-solo Filename BackupService.java importFromMarkdown path traversal VDB-343979 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742437 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and Remote Code Execution https://github.com/bolo-blog/bolo-solo/issues/327 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog--bolo-solo | A vulnerability has been found in bolo-blog bolo-solo up to 2.6.4. This impacts the function importFromCnblogs of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. The manipulation of the argument File leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1812 | VDB-343980 | bolo-blog bolo-solo Filename BackupService.java importFromCnblogs path traversal VDB-343980 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742582 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary file write https://github.com/bolo-blog/bolo-solo/issues/328 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog--bolo-solo | A vulnerability was found in bolo-blog bolo-solo up to 2.6.4. Affected is an unknown function of the file src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java of the component FreeMarker Template Handler. The manipulation of the argument File results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1813 | VDB-343981 | bolo-blog bolo-solo FreeMarker Template PicUploadProcessor.java unrestricted upload VDB-343981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743402 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and RCE https://github.com/bolo-blog/bolo-solo/issues/329 https://github.com/bolo-blog/bolo-solo/ |
| htplugins--Docus YouTube Video Playlist | The Docus - YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1888 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16c6fec8-81ec-477a-9942-10fd3adb8fa4?source=cve https://plugins.trac.wordpress.org/browser/docus/trunk/includes/class.shortcode.php#L55 https://plugins.trac.wordpress.org/browser/docus/tags/1.0.6/includes/class.shortcode.php#L55 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454510%40docus&new=3454510%40docus&sfp_email=&sfph_mail= |
| n/a--WeKan | A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. The patch is named 251d49eea94834cf351bb395808f4a56fb4dbb44. Upgrading the affected component is recommended. | 2026-02-04 | 6.3 | CVE-2026-1894 | VDB-344266 | WeKan REST API checklistItems.js Checklist REST Bleed improper authorization VDB-344266 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742663 | Wekan <8.21 IDOR via REST API / improper object relationship validation https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address this issue. This patch is called 8c0b4f79d8582932528ec2fdf2a4487c86770fb9. It is recommended to upgrade the affected component. | 2026-02-04 | 6.3 | CVE-2026-1895 | VDB-344267 | WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control VDB-344267 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742666 | Wekan <8.21 Improper access control (CWE-284) https://github.com/wekan/wekan/commit/8c0b4f79d8582932528ec2fdf2a4487c86770fb9 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised. | 2026-02-04 | 6.3 | CVE-2026-1896 | VDB-344268 | WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control VDB-344268 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742670 | Wekan <8.21 Improper access control on administrative migration methods (CWE https://github.com/wekan/wekan/commit/cc35dafef57ef6e44a514a523f9a8d891e74ad8f https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component. | 2026-02-05 | 6.3 | CVE-2026-1898 | VDB-344270 | WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control VDB-344270 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742676 | Wekan <8.21 Missing authorization on admin function (CWE-284) https://github.com/wekan/wekan/commit/146905a459106b5d00b4f09453a6554255e6965a https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| x-raym--WaveSurfer-WP | The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the 'src' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1909 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b507462d-1ce2-4463-93bf-635ee78274f6?source=cve https://plugins.trac.wordpress.org/browser/wavesurfer-wp/trunk/wavesurfer-wp.php#L739 https://plugins.trac.wordpress.org/browser/wavesurfer-wp/tags/2.8.3/wavesurfer-wp.php#L739 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454006%40wavesurfer-wp&new=3454006%40wavesurfer-wp&sfp_email=&sfph_mail= |
| n/a--WeKan | A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component. | 2026-02-05 | 6.3 | CVE-2026-1962 | VDB-344484 | WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control VDB-344484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742677 | Wekan <8.21 Improper access control on migration endpoints (CWE-284) https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised. | 2026-02-05 | 6.3 | CVE-2026-1963 | VDB-344485 | WeKan Attachment Storage attachments.js MoveStorageBleed access control VDB-344485 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742678 | Wekan <8.21 Improper access control (CWE-284) https://github.com/wekan/wekan/commit/c413a7e860bc4d93fe2adcf82516228570bf382d https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| isaacwasserman--mcp-vegalite-server | A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component visualize_data. Such manipulation of the argument vegalite_specification leads to code injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 6.3 | CVE-2026-1977 | VDB-344499 | isaacwasserman mcp-vegalite-server visualize_data eval code injection VDB-344499 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743246 | GitHub mcp-vegalite-server master Code Injection https://github.com/isaacwasserman/mcp-vegalite-server/issues/9 https://github.com/isaacwasserman/mcp-vegalite-server/ |
| abhiphile--fermat-mcp | A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument equations results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 6.3 | CVE-2026-2008 | VDB-344590 | abhiphile fermat-mcp eqn_chart.py eqn_chart code injection VDB-344590 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743458 | GitHub fermat-mcp master Code Injection https://github.com/abhiphile/fermat-mcp/issues/9 https://github.com/abhiphile/fermat-mcp/issues/9#issue-3837794397 https://github.com/abhiphile/fermat-mcp/ |
| SourceCodester--Gas Agency Management System | A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-06 | 6.3 | CVE-2026-2009 | VDB-344591 | SourceCodester Gas Agency Management System createUser.php access control VDB-344591 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743459 | SourceCodester Gas Agency Management System 1.0 Improper Access Controls https://github.com/Asim-QAZi/Improper-Access-Control-in-SourceCodester-Gas-Agency-Management-System https://www.sourcecodester.com/ |
| Portabilis--i-Educar | A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatusImportService.php of the component Final Status Import. Executing a manipulation of the argument school_id can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 6.3 | CVE-2026-2015 | VDB-344597 | Portabilis i-Educar Final Status Import FinalStatusImportService.php improper authorization VDB-344597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743760 | Portabilis i-Educar 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 Improper Authorization https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import#proof-of-concept-poc |
| Flycatcher Toys--smART Pixelator | A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 6.3 | CVE-2026-2065 | VDB-344632 | Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication VDB-344632 | CTI Indicators (IOB, IOC) Submit #745129 | Flycatcher Toys smART Pixelator 2.0 2.0 Missing Authentication https://github.com/davidrxchester/smart-pixelator-upload https://github.com/davidrxchester/smart-pixelator-upload/blob/main/poc.py |
| n/a--O2OA | A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 6.3 | CVE-2026-2074 | VDB-344640 | O2OA HTTP POST Request check xml external entity reference VDB-344640 | CTI Indicators (IOB, IOC, IOA) Submit #745486 | 浙江兰德纵横网络技术股份有限公司 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞 Submit #745489 | O2OA开发平台 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞 (Duplicate) https://github.com/SourByte05/SourByte-Lab/issues/7 |
| yeqifu--warehouse | A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role-Permission Binding Handler. The manipulation results in improper access controls. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2075 | VDB-344641 | yeqifu warehouse Role-Permission Binding RoleController.java saveRolePermission access control VDB-344641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745508 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Im https://github.com/yeqifu/warehouse/issues/52 https://github.com/yeqifu/warehouse/issues/52#issue-3846645856 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component User Management Endpoint. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2076 | VDB-344642 | yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authorization VDB-344642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745509 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/53 https://github.com/yeqifu/warehouse/issues/53#issue-3846651070 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2077 | VDB-344643 | yeqifu warehouse Role Management RoleController.java deleteRole improper authorization VDB-344643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745512 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/54 https://github.com/yeqifu/warehouse/issues/54#issue-3846654129 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2078 | VDB-344644 | yeqifu warehouse Permission Management PermissionController.java deletePermission improper authorization VDB-344644 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745513 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/55 https://github.com/yeqifu/warehouse/issues/55#issue-3846656775 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2079 | VDB-344645 | yeqifu warehouse Menu Management MenuController.java deleteMenu improper authorization VDB-344645 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745514 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/56 https://github.com/yeqifu/warehouse/issues/56#issue-3846659524 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2105 | VDB-344681 | yeqifu warehouse Department Management DeptController.java deleteDept improper authorization VDB-344681 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745515 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/57 https://github.com/yeqifu/warehouse/issues/57#issue-3846662068 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2106 | VDB-344682 | yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization VDB-344682 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745516 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/58 https://github.com/yeqifu/warehouse/issues/58#issue-3846664260 https://github.com/yeqifu/warehouse/ |
| yeqifu--warehouse | A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2107 | VDB-344683 | yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization VDB-344683 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745517 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/59 https://github.com/yeqifu/warehouse/issues/59#issue-3846665806 https://github.com/yeqifu/warehouse/ |
| Xiaopi--Panel | A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-08 | 6.3 | CVE-2026-2122 | VDB-344695 | Xiaopi Panel WAF Firewall demo.php sql injection VDB-344695 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746917 | Xiaopi Web Application Firewall V1.0.0 Bypass https://github.com/ltranquility/CVE/issues/37 |
| BurtTheCoder--mcp-maigret | A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised. | 2026-02-08 | 6.3 | CVE-2026-2130 | VDB-344765 | BurtTheCoder mcp-maigret search_username index.ts command injection VDB-344765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747171 | GitHub mcp-maigret v1.0.12 Command Injection https://github.com/BurtTheCoder/mcp-maigret/issues/9 https://github.com/BurtTheCoder/mcp-maigret/pull/10 https://github.com/BurtTheCoder/mcp-maigret/commit/b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a https://github.com/BurtTheCoder/mcp-maigret/releases/tag/v1.0.13 https://github.com/BurtTheCoder/mcp-maigret/ |
| XixianLiang--HarmonyOS-mcp-server | A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-02-08 | 6.3 | CVE-2026-2131 | VDB-344766 | XixianLiang HarmonyOS-mcp-server input_text os command injection VDB-344766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747209 | GitHub HarmonyOS-mcp-server v0.1.0 Command Injection https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md |
| UTT--HiPER 810 | A vulnerability was detected in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2135 | VDB-344770 | UTT HiPER 810 formPdbUpConfig sub_43F020 command injection VDB-344770 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747222 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme2.md |
| WuKongOpenSource--WukongCRM | A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-08 | 6.3 | CVE-2026-2141 | VDB-344776 | WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization VDB-344776 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747264 | 郑州卡卡罗特软件科技有限公司 WukongCRM WukongCRM-11.x-JAVA logical flaw vulnerability https://github.com/SourByte05/SourByte-Lab/issues/8 |
| guchengwuyue--yshopmall | A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 6.3 | CVE-2026-2146 | VDB-344848 | guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload VDB-344848 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747409 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 Incomplete Identification of Uploaded File Variables https://github.com/guchengwuyue/yshopmall/issues/40 https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812 https://github.com/guchengwuyue/yshopmall/ |
| Totolink--WA300 | A vulnerability was detected in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setAPNetwork of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Ipaddr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2167 | VDB-344869 | Totolink WA300 cstecgi.cgi setAPNetwork os command injection VDB-344869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752063 | TOTOLINK WA300 V5.2cu.7112_B20190227 OS Command Injection https://github.com/master-abc/cve/issues/36 https://www.totolink.net/ |
| D-Link--DWR-M921 | A flaw has been found in D-Link DWR-M921 1.1.50. This affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 6.3 | CVE-2026-2168 | VDB-344870 | D-Link DWR-M921 formLtefotaUpgradeQuectel sub_419920 command injection VDB-344870 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748838 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/2 https://www.dlink.com/ |
| D-Link--DWR-M921 | A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2169 | VDB-344871 | D-Link DWR-M921 formLtefotaUpgradeFibocom command injection VDB-344871 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748930 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/3 https://www.dlink.com/ |
| code-projects--Contact Management System | A security vulnerability has been detected in code-projects Contact Management System 1.0. This issue affects some unknown processing of the file index.py. Such manipulation of the argument selecteditem[0] leads to sql injection. The attack can be executed remotely. | 2026-02-08 | 6.3 | CVE-2026-2176 | VDB-344877 | code-projects Contact Management System index.py sql injection VDB-344877 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749264 | code-projects Contact Management System in Python unknown SQL Injection https://code-projects.org/ |
| r-huijts--xcode-mcp-server | A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue. | 2026-02-08 | 6.3 | CVE-2026-2178 | VDB-344881 | r-huijts xcode-mcp-server run_lldb index.ts registerXcodeTools command injection VDB-344881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749569 | GitHub xcode-mcp-server master Command Injection https://github.com/r-huijts/xcode-mcp-server/issues/13 https://github.com/r-huijts/xcode-mcp-server/issues/13#issue-3878065790 https://github.com/r-huijts/xcode-mcp-server/commit/11f8d6bacadd153beee649f92a78a9dad761f56f https://github.com/r-huijts/xcode-mcp-server/ |
| Great Developers--Certificate Generation System | A security vulnerability has been detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This affects an unknown part of the file /restructured/csv.php. The manipulation leads to unrestricted upload. Remote exploitation of the attack is possible. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The code repository of the project has not been active for many years. | 2026-02-08 | 6.3 | CVE-2026-2183 | VDB-344886 | Great Developers Certificate Generation System csv.php unrestricted upload VDB-344886 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749713 | Great Developers Certificate Generator System 1.0 Unrestricted Upload https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate.md |
| D-Link--DI-7100G C1 | A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible. | 2026-02-08 | 6.3 | CVE-2026-2193 | VDB-344896 | D-Link DI-7100G C1 set_jhttpd_info command injection VDB-344896 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749803 | D-Link DI-7100G C1, 24.04.18D1 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md https://www.dlink.com/ |
| D-Link--DI-7100G C1 | A flaw has been found in D-Link DI-7100G C1 24.04.18D1. This affects the function start_proxy_client_email. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-02-08 | 6.3 | CVE-2026-2194 | VDB-344897 | D-Link DI-7100G C1 start_proxy_client_email command injection VDB-344897 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749804 | D-Link DI-7100G C1: 2020/02/21, 24.04.18D1: 2024/04/18 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_3.md https://www.dlink.com/ |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. | 2026-02-04 | 6.5 | CVE-2026-22044 | https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385 https://github.com/glpi-project/glpi/releases/tag/10.0.23 |
| n/a--WeKan | A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component. | 2026-02-08 | 6.3 | CVE-2026-2206 | VDB-344920 | WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control VDB-344920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752162 | Wekan <8.21 Improper access control on administrative repair method https://github.com/wekan/wekan/commit/4ce181d17249778094f73d21515f7f863f554743 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely. Upgrading to version 8.19 is sufficient to fix this issue. The patch is identified as f244a43771f6ebf40218b83b9f46dba6b940d7de. It is suggested to upgrade the affected component. | 2026-02-08 | 6.3 | CVE-2026-2209 | VDB-344923 | WeKan Custom Translation translationBody.js setCreateTranslation improper authorization VDB-344923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752269 | Wekan <8.20 IDOR in setCreateTranslation. Non-admin could change Custom Tran https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de https://github.com/wekan/wekan/releases/tag/v8.19 https://github.com/wekan/wekan/ |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-22592 | https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57 |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-23632 | https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-23633 | https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory. | 2026-02-03 | 6.5 | CVE-2026-24514 | https://github.com/kubernetes/kubernetes/issues/136680 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such as modifying assignment grades, via crafted requests. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24666 | https://github.com/gunet/openeclass/security/advisories/GHSA-cgmh-73qg-28fm |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24668 | https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24670 | https://github.com/gunet/openeclass/security/advisories/GHSA-4jf5-636r-hv9v |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2. | 2026-02-03 | 6.1 | CVE-2026-24671 | https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7 |
| Huawei--HarmonyOS | Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2026-02-06 | 6.2 | CVE-2026-24915 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei--HarmonyOS | UAF vulnerability in the security module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.5 | CVE-2026-24917 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Address read vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.8 | CVE-2026-24918 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the DFX module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6 | CVE-2026-24919 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Permission control vulnerability in the AMS module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.2 | CVE-2026-24920 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei--HarmonyOS | Buffer overflow vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.9 | CVE-2026-24922 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei--HarmonyOS | Permission control vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 6.3 | CVE-2026-24923 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei--HarmonyOS | Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 6.1 | CVE-2026-24924 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| openclaw--openclaw | OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30. | 2026-02-04 | 6.5 | CVE-2026-25475 | https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25507 | https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9 https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7 https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70 https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6 https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663 https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25508 | https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9 https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9 https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7 https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70 https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6 https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663 https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0. | 2026-02-06 | 6.1 | CVE-2026-25516 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282 https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a vulnerability exists in the WPS (Wi-Fi Protected Setup) Enrollee implementation where malformed EAP-WSC packets with truncated payloads can cause integer underflow during fragment length calculation. When processing EAP-Expanded (WSC) messages, the code computes frag_len by subtracting header sizes from the total packet length. If an attacker sends a packet where the EAP Length field covers only the header and flags but omits the expected payload (such as the 2-byte Message Length field when WPS_MSG_FLAG_LEN is set), frag_len becomes negative. This negative value is then implicitly cast to size_t when passed to wpabuf_put_data(), resulting in a very large unsigned value. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25532 | https://github.com/espressif/esp-idf/security/advisories/GHSA-m2h2-683f-9mw7 https://github.com/espressif/esp-idf/commit/60f992a26de17bb5406f2149a2f8282dd7ad1c59 https://github.com/espressif/esp-idf/commit/6f6766f917bc940ffbcc97eac4765a6ab15d5f79 https://github.com/espressif/esp-idf/commit/73a587d42a57ece1962b6a4c530b574600650f63 https://github.com/espressif/esp-idf/commit/b209fae993d795255827ce6b2b0d6942a377f5d4 https://github.com/espressif/esp-idf/commit/b88befde6b5addcdd8d7373ce55c8052dea1e855 https://github.com/espressif/esp-idf/commit/cad36beb4cde27abcf316cd90d8d8dddbc6f213a https://github.com/espressif/esp-idf/commit/de28801e8ea6a736b6f0db6fc0c682739363bb41 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6. | 2026-02-04 | 6.5 | CVE-2026-25540 | https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr |
| navidrome--navidrome | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0. | 2026-02-04 | 6.1 | CVE-2026-25578 | https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6 https://github.com/navidrome/navidrome/releases/tag/v0.60.0 |
| tgies--client-certificate-auth | client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0. | 2026-02-06 | 6.1 | CVE-2026-25651 | https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4 https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132. | 2026-02-06 | 6.6 | CVE-2026-25749 | https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9 https://github.com/vim/vim/releases/tag/v9.1.2132 |
| BishopFox--sliver | Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.6.11, a path traversal in the website content subsystem lets an authenticated operator read arbitrary files on the Sliver server host. This is an authenticated path traversal / arbitrary file read issue, and it can expose credentials, configs, and keys. This vulnerability is fixed in 1.6.11. | 2026-02-06 | 6.5 | CVE-2026-25760 | https://github.com/BishopFox/sliver/security/advisories/GHSA-2286-hxv5-cmp2 https://github.com/BishopFox/sliver/commit/818127349ccec812876693c4ca74ebf4350ec6b7 |
| Maian Media--Maian Support Helpdesk | Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ attachment system. | 2026-02-03 | 5.3 | CVE-2020-37091 | ExploitDB-48386 Vendor Homepage VulnCheck Advisory: Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin) |
| EDIMAX Technology Co., Ltd.--EW-7438RPn Mini | Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent. | 2026-02-03 | 5.3 | CVE-2020-37096 | ExploitDB-48366 Edimax EW-7438RPn Product Homepage VulnCheck Advisory: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering) |
| Bdtask--Business Live Chat Software | Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters. | 2026-02-06 | 5.3 | CVE-2020-37106 | ExploitDB-48141 Business Live Chat Software Vendor Homepage VulnCheck Advisory: Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin) |
| Code::Blocks--Code::Blocks | CODE::BLOCKS 16.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler with crafted Unicode characters. Attackers can create a malicious M3U playlist file with 536 bytes of buffer and shellcode to trigger remote code execution. | 2026-02-05 | 5.5 | CVE-2020-37121 | ExploitDB-48344 CODE::BLOCKS Product Homepage CODE::BLOCKS SourceForge Repository VulnCheck Advisory: CODE::BLOCKS 16.01 - Buffer Overflow (SEH) UNICODE |
| dnsmasq--dnsmasq-utils | Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters. | 2026-02-05 | 5.5 | CVE-2020-37127 | ExploitDB-48301 Software Link for dnsmasq 2.79-1 VulnCheck Advisory: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service |
| FinalWire--Everest | Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated characters and paste it into the file open dialog to trigger an application crash. | 2026-02-05 | 5.5 | CVE-2020-37140 | ExploitDB-48259 Archived Product Page VulnCheck Advisory: Everest 5.50.2100 - 'Open File' Denial of Service |
| Exagate--Sysguard 6001 | Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent. | 2026-02-05 | 5.3 | CVE-2020-37144 | ExploitDB-48234 Exagate Vendor Homepage Archived Sysguard 6001 Product Page VulnCheck Advisory: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin) |
| IBM--Cloud Pak System | IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system. | 2026-02-04 | 5.3 | CVE-2023-38010 | https://www.ibm.com/support/pages/node/7254419 |
| IBM--Cloud Pak System | IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-04 | 5.3 | CVE-2023-38017 | https://www.ibm.com/support/pages/node/7254419 |
| IBM--Cloud Pak System | IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | 2026-02-04 | 5.3 | CVE-2023-38281 | https://www.ibm.com/support/pages/node/7254419 |
| IBM--Db2 Big SQL on Cloud Pak for Data | IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of service. | 2026-02-04 | 5.3 | CVE-2024-39724 | https://www.ibm.com/support/pages/node/7257907 |
| cyberlord92--OAuth Single Sign On SSO (OAuth Client) | The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly. | 2026-02-06 | 5.3 | CVE-2025-10753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/915e1a6e-ad9c-4849-8ae0-3ded18720a1f?source=cve https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L260 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399223%40miniorange-login-with-eve-online-google-facebook&new=3399223%40miniorange-login-with-eve-online-google-facebook&sfp_email=&sfph_mail= |
| IBM--App Connect Operator | IBM App Connect Enterprise Certified Container up to 12.19.0 (Continuous Delivery) and 12.0 LTS (Long Term Support) could allow an attacker to access sensitive files or modify configurations due to an untrusted search path. | 2026-02-05 | 5.1 | CVE-2025-13491 | https://www.ibm.com/support/pages/node/7259746 |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action. | 2026-02-05 | 5.3 | CVE-2025-14079 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15 https://plugins.trac.wordpress.org/changeset/3449609/ |
| unitecms--Unlimited Elements For Elementor | The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 5.4 | CVE-2025-14274 | https://www.wordfence.com/threat-intel/vulnerabilities/id/482c4986-3677-4754-992b-ea9be7573d2e?source=cve https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/framework/functions.class.php#L2859 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_params_processor.class.php#L1518 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429507%40unlimited-elements-for-elementor%2Ftrunk&old=3403331%40unlimited-elements-for-elementor%2Ftrunk&sfp_email=&sfph_mail=#file15 |
| tpixendit--Xendit Payment | The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion. | 2026-02-04 | 5.3 | CVE-2025-14461 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2791bbd5-9101-4484-a352-0e4d2ce04e5d?source=cve https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/trunk/woocommerce-xendit-pg.php#L252 https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/tags/6.0.2/woocommerce-xendit-pg.php#L252 |
| Tanium--Enforce | Tanium addressed an improper link resolution before file access vulnerability in Enforce. | 2026-02-05 | 5 | CVE-2025-15328 | TAN-2025-007 |
| chapaet--Chapa Payment Gateway Plugin for WooCommerce | The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key. | 2026-02-04 | 5.3 | CVE-2025-15482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/190492ec-5982-4dce-9e97-16a518a01a27?source=cve https://plugins.trac.wordpress.org/browser/chapa-payment-gateway-for-woocommerce/tags/1.0.3/includes/class-waf-wc-chapa-gateway.php#L418 |
| magicimport--Magic Import Document Extractor | The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance. | 2026-02-04 | 5.3 | CVE-2025-15507 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6854e470-26ac-4747-b72c-164e79e1a1b1?source=cve https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L225 |
| magicimport--Magic Import Document Extractor | The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode. | 2026-02-04 | 5.3 | CVE-2025-15508 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec72ac5-1851-4074-bea4-ccfd684b9c8d?source=cve https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L379 |
| IBM--Engineering Lifecycle Management - Global Configuration Management | IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-03 | 5.4 | CVE-2025-36033 | https://www.ibm.com/support/pages/node/7258063 |
| IBM--Cloud Pak for Business Automation | IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length. | 2026-02-03 | 5.4 | CVE-2025-36094 | https://www.ibm.com/support/pages/node/7259318 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2026-02-02 | 5.9 | CVE-2025-36253 | https://www.ibm.com/support/pages/node/7257565 |
| HCL--AION | Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes. This issue affects AION: 2.0. | 2026-02-03 | 5.5 | CVE-2025-52627 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A--Moodle[.]org | A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser. | 2026-02-03 | 5.4 | CVE-2025-67855 | https://access.redhat.com/security/cve/CVE-2025-67855 RHBZ#2423861 |
| N/A--Moodle[.]org | A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features. | 2026-02-03 | 5.4 | CVE-2025-67856 | https://access.redhat.com/security/cve/CVE-2025-67856 RHBZ#2423864 |
| khoj-ai--khoj | Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present. This vulnerability is fixed in 2.0.0-beta.23. | 2026-02-02 | 5.4 | CVE-2025-69207 | https://github.com/khoj-ai/khoj/security/advisories/GHSA-6whj-7qmg-86qj https://github.com/khoj-ai/khoj/commit/1b7ccd141d47f365edeccc57d7316cb0913d748b https://github.com/khoj-ai/khoj/releases/tag/2.0.0-beta.23 |
| fortispay--Fortis for WooCommerce | The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment. | 2026-02-04 | 5.3 | CVE-2026-0679 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f16c098-3e99-4506-b517-ae4b838a0925?source=cve https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/trunk/classes/WC_Gateway_Fortis.php#L1674 https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/tags/1.2.0/classes/WC_Gateway_Fortis.php#L1674 |
| alimir--WP ULike Engagement Analytics & Interactive Buttons to Understand Your Audience | The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the 'stats' capability is assigned to their role), to delete arbitrary log entries belonging to other users via the 'id' parameter. | 2026-02-03 | 5.3 | CVE-2026-0909 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bee2e520-46cc-4b54-9849-fafb9b37ba19?source=cve https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/admin/admin-ajax.php#L94 https://plugins.trac.wordpress.org/browser/wp-ulike/tags/4.8.3.1/admin/admin-ajax.php#L94 https://plugins.trac.wordpress.org/changeset/3451296/wp-ulike/trunk/admin/admin-ajax.php |
| brainstormforce--Spectra Gutenberg Blocks Website Builder for the Block Editor | The Spectra Gutenberg Blocks - Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block. | 2026-02-03 | 5.3 | CVE-2026-0950 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4?source=cve https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1303 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1303 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1621 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1621 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L2196 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L2196 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-helper.php#L1403 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/classes/class-uagb-helper.php#L1403 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3443216%40ultimate-addons-for-gutenberg%2Ftrunk&old=3410395%40ultimate-addons-for-gutenberg%2Ftrunk&sfp_email=&sfph_mail= |
| metagauss--ProfileGrid User Profiles, Groups and Communities | The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators. | 2026-02-05 | 5.3 | CVE-2026-1271 | https://www.wordfence.com/threat-intel/vulnerabilities/id/712535ce-8c38-4944-aa0a-36d9bacaeb67?source=cve https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php#L73 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.php#L60 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/crop.php#L73 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/coverimg_crop.php#L60 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail= |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications. | 2026-02-03 | 5.3 | CVE-2026-1371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658 https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1&old=3422766&old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php |
| getwpfunnels--Mail Mint Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more | The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting. | 2026-02-03 | 5.4 | CVE-2026-1447 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e67ae204-2848-4389-a78d-7b3798e4ee54?source=cve https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105 https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105 https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85 https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85 https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php?old=3032077&old_path=mail-mint%2Ftrunk%2Fapp%2FAPI%2FActions%2FAdmin%2FContact%2FContactProfileAction.php |
| F5--NGINX Open Source | A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side-along with conditions beyond the attacker's control-may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 5.9 | CVE-2026-1642 | https://my.f5.com/manage/s/article/K000159824 |
| brstefanovic--Advanced Country Blocker | The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value. | 2026-02-07 | 5.3 | CVE-2026-1675 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30747988-83f9-41f9-9bc5-1f533bc4cb94?source=cve https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L278 https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L336 https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L420 |
| n/a--Open5GS | A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1736 | VDB-343635 | Open5GS SGWC s11-handler.c assertion VDB-343635 | CTI Indicators (IOB, IOC, IOA) Submit #741191 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4270 https://github.com/open5gs/open5gs/issues/4270#event-21968624624 https://github.com/open5gs/open5gs/issues/4270#issue-3795141303 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the function sgwc_s5c_handle_create_bearer_request of the file /src/sgwc/s5c-handler.c of the component CreateBearerRequest Handler. Performing a manipulation results in reachable assertion. Remote exploitation of the attack is possible. The exploit is now public and may be used. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1737 | VDB-343636 | Open5GS CreateBearerRequest s5c-handler.c sgwc_s5c_handle_create_bearer_request assertion VDB-343636 | CTI Indicators (IOB, IOC, IOA) Submit #741192 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4271 https://github.com/open5gs/open5gs/issues/4271#event-21968630023 https://github.com/open5gs/open5gs/issues/4271#issue-3795147720 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.6. The impacted element is the function sgwc_tunnel_add of the file /src/sgwc/context.c of the component SGWC. Executing a manipulation of the argument pdr can lead to reachable assertion. The attack can be executed remotely. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1738 | VDB-343637 | Open5GS SGWC context.c sgwc_tunnel_add assertion VDB-343637 | CTI Indicators (IOB, IOC, IOA) Submit #741193 | Open5gs SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4261 https://github.com/open5gs/open5gs/issues/4261#event-21968563677 https://github.com/open5gs/open5gs/issues/4261#issue-3787803578 https://github.com/open5gs/open5gs/ |
| Free5GC--pcf | A vulnerability has been found in Free5GC pcf up to 1.4.1. This affects the function HandleCreateSmPolicyRequest of the file internal/sbi/processor/smpolicy.go. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is df535f5524314620715e842baf9723efbeb481a7. Applying a patch is the recommended action to fix this issue. | 2026-02-02 | 5.3 | CVE-2026-1739 | VDB-343638 | Free5GC pcf smpolicy.go HandleCreateSmPolicyRequest null pointer dereference VDB-343638 | CTI Indicators (IOB, IOC, IOA) Submit #741194 | free5gc PCF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/803 https://github.com/free5gc/pcf/pull/62 https://github.com/free5gc/free5gc/issues/803#issue-3815770007 https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7 https://github.com/free5gc/pcf/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions. | 2026-02-02 | 5.3 | CVE-2026-1760 | https://access.redhat.com/security/cve/CVE-2026-1760 RHBZ#2435951 |
| Xerox--CentreWare | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS. This issue affects CentreWare: through 7.0.6. Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com | 2026-02-06 | 5.3 | CVE-2026-1769 | https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-XRX26-003-for-Xerox-CentreWare-Web.pdf |
| AWS--SageMaker Python SDK | Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed. | 2026-02-02 | 5.9 | CVE-2026-1778 | https://aws.amazon.com/security/security-bulletins/2026-004-AWS/ https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543 https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1 https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure. | 2026-02-03 | 5.3 | CVE-2026-1801 | https://access.redhat.com/security/cve/CVE-2026-1801 RHBZ#2436315 |
| n/a--WeKan | A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. Upgrading to version 8.21 mitigates this issue. The name of the patch is cabfeed9a68e21c469bf206d8655941444b9912c. It is suggested to upgrade the affected component. | 2026-02-04 | 5 | CVE-2026-1892 | VDB-344265 | WeKan REST API boards.js setBoardOrgs improper authorization VDB-344265 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742662 | Wekan <8.21 IDOR via REST API / improper object relationship validation https://github.com/wekan/wekan/commit/cabfeed9a68e21c469bf206d8655941444b9912c https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| Edimax--BR-6208AC | A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-1972 | VDB-344494 | Edimax BR-6208AC auth_check_userpass2 default credentials VDB-344494 | CTI Indicators (IOB, IOC, IOA) Submit #744032 | Edimax BR-6208AC V2_1.02 Weak Authentication https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Weak-Password-Authentication-Vulnerability-in-auth_check_userpass2-Functi-2f0b5c52018a801c9645dd5261717901?source=copy_link |
| n/a--Free5GC | A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. It is best practice to apply a patch to resolve this issue. | 2026-02-06 | 5.3 | CVE-2026-1973 | VDB-344495 | Free5GC SMF establishPfcpSession null pointer dereference VDB-344495 | CTI Indicators (IOB, IOC, IOA) Submit #743236 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/815 https://github.com/free5gc/free5gc/issues/815#issue-3832032062 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a--Free5GC | A vulnerability was identified in Free5GC up to 4.1.0. This affects the function ResolveNodeIdToIp of the file internal/sbi/processor/datapath.go of the component SMF. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. It is recommended to apply a patch to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-1974 | VDB-344496 | Free5GC SMF datapath.go ResolveNodeIdToIp denial of service VDB-344496 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743237 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/816 https://github.com/free5gc/free5gc/issues/816#issue-3832055233 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a--Free5GC | A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the function identityTriggerType of the file pfcp_reports.go. The manipulation results in null pointer dereference. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is advised to resolve this issue. | 2026-02-06 | 5.3 | CVE-2026-1975 | VDB-344497 | Free5GC pfcp_reports.go identityTriggerType null pointer dereference VDB-344497 | CTI Indicators (IOB, IOC, IOA) Submit #743238 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/814 https://github.com/free5gc/free5gc/issues/814#issue-3831993593 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a--Free5GC | A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. It is suggested to install a patch to address this issue. | 2026-02-06 | 5.3 | CVE-2026-1976 | VDB-344498 | Free5GC SMF SessionDeletionResponse null pointer dereference VDB-344498 | CTI Indicators (IOB, IOC, IOA) Submit #743239 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/817 https://github.com/free5gc/free5gc/issues/817#issue-3832188092 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| kalyan02--NanoCMS | A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings. | 2026-02-06 | 5.3 | CVE-2026-1978 | VDB-344500 | kalyan02 NanoCMS User Information pagesdata.txt direct request VDB-344500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743260 | SourceCodester NanoCMS V0.4 Sensitive document leak https://github.com/kalyan02/NanoCMS/blob/master/data/pagesdata.txt https://github.com/kalyan02/NanoCMS/ |
| n/a--mruby | A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue. | 2026-02-06 | 5.3 | CVE-2026-1979 | VDB-344501 | mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free VDB-344501 | CTI Indicators (IOB, IOC, IOA) Submit #743377 | mruby cda2567 Use After Free https://github.com/mruby/mruby/issues/6701 https://github.com/mruby/mruby/issues/6701#issue-3802609843 https://github.com/sysfce2/mruby/commit/e50f15c1c6e131fa7934355eb02b8173b13df415 https://github.com/mruby/mruby/ |
| happyfish100--libfastcommon | A security vulnerability has been detected in happyfish100 libfastcommon up to 1.0.84. Affected by this vulnerability is the function base64_decode of the file src/base64.c. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 82f66af3e252e3e137dba0c3891570f085e79adf. Applying a patch is the recommended action to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-2016 | VDB-344598 | happyfish100 libfastcommon base64.c base64_decode stack-based overflow VDB-344598 | CTI Indicators (IOB, IOC, IOA) Submit #743873 | happyfish100 libfastcommon V1.0.84 and earlier Heap-based Buffer Overflow https://github.com/happyfish100/libfastcommon/issues/55 https://github.com/happyfish100/libfastcommon/issues/55#issuecomment-3776757848 https://github.com/happyfish100/libfastcommon/issues/55#issue-3836362577 https://github.com/happyfish100/libfastcommon/commit/82f66af3e252e3e137dba0c3891570f085e79adf https://github.com/happyfish100/libfastcommon/ |
| D-Link--DIR-605L | A security flaw has been discovered in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. Impacted is an unknown function of the component Wifi Setting Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2054 | VDB-344614 | D-Link DIR-605L/DIR-619L Wifi Setting information disclosure VDB-344614 | CTI Indicators (IOB, IOC, TTP) Submit #744224 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md#poc--result https://www.dlink.com/ |
| D-Link--DIR-605L | A weakness has been identified in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The affected element is an unknown function of the component DHCP Client Information Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2055 | VDB-344615 | D-Link DIR-605L/DIR-619L DHCP Client Information information disclosure VDB-344615 | CTI Indicators (IOB, IOC, TTP) Submit #744225 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc--result https://www.dlink.com/ |
| D-Link--DIR-605L | A security vulnerability has been detected in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The impacted element is an unknown function of the file /wan_connection_status.asp of the component DHCP Connection Status Handler. The manipulation leads to information disclosure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2056 | VDB-344616 | D-Link DIR-605L/DIR-619L DHCP Connection Status wan_connection_status.asp information disclosure VDB-344616 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744226 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_83/83.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc--result https://www.dlink.com/ |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-2062 | VDB-344622 | Open5GS PGW S5U Address sgwc_sxa_handle_session_modification_response null pointer dereference VDB-344622 | CTI Indicators (IOB, IOC, IOA) Submit #744719 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4257 https://github.com/open5gs/open5gs/issues/4257#issue-3787701521 https://github.com/open5gs/open5gs/commit/f1bbd7b57f831e2a070780a7d8d5d4c73babdb59 https://github.com/open5gs/open5gs/ |
| jsbroks--COCO Annotator | A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 5.3 | CVE-2026-2108 | VDB-344684 | jsbroks COCO Annotator Endpoint long_task denial of service VDB-344684 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745547 | coco-annotator 0.11.1 Denial of Service https://github.com/nmmorette/vulnerability-research/blob/main/coco-anotator/Unauthenticated%20Task%20Queue%20Flood%20in%20COCO%20Annotator%202f1ef09b873680f99d39e3f7db9886fa.md |
| jsbroks--COCO Annotator | A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 5.4 | CVE-2026-2109 | VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md |
| Tenda--AC21 | A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 5.3 | CVE-2026-2147 | VDB-344849 | Tenda AC21 Web Management DownloadLog information disclosure VDB-344849 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747429 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication https://github.com/master-abc/cve/issues/30 https://www.tenda.com.cn/ |
| Tenda--AC21 | A security vulnerability has been detected in Tenda AC21 16.03.08.16. Affected is an unknown function of the file /cgi-bin/DownloadFlash of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 5.3 | CVE-2026-2148 | VDB-344850 | Tenda AC21 Web Management DownloadFlash information disclosure VDB-344850 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747557 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication https://github.com/master-abc/cve/issues/27 https://www.tenda.com.cn/ |
| n/a--WeKan | A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component. | 2026-02-08 | 5.3 | CVE-2026-2207 | VDB-344921 | WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure VDB-344921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752163 | Wekan <8.21 Information disclosure via insufficient authorization filtering https://github.com/wekan/wekan/commit/91a936e07d2976d4246dfe834281c3aaa87f9503 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| F5--BIG-IP | When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 5.9 | CVE-2026-22548 | https://my.f5.com/manage/s/article/K000158072 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8. | 2026-02-02 | 5.4 | CVE-2026-23476 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4 https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3 https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8 |
| CollaboraOnline--online | Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user with view-only rights and no download privileges can obtain a local copy of a shared file. Although there are no corresponding buttons in the interface, pressing Ctrl+Shift+S initiates the file download process. This allows the user to bypass the access restrictions and leads to unauthorized data retrieval. This issue has been patched in Collabora Online Development Edition version 25.04.08.2 and Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5. | 2026-02-05 | 5.3 | CVE-2026-23623 | https://github.com/CollaboraOnline/online/security/advisories/GHSA-68v6-r6qq-mmq2 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2. | 2026-02-03 | 5.3 | CVE-2026-24664 | https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2. | 2026-02-03 | 5 | CVE-2026-24667 | https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224 |
| Huawei--HarmonyOS | Identity authentication bypass vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.9 | CVE-2026-24916 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 5.5 | CVE-2026-24927 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the file system module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.8 | CVE-2026-24928 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei--HarmonyOS | Out-of-bounds read vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 5.9 | CVE-2026-24929 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| Huawei--HarmonyOS | Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.9 | CVE-2026-24931 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0. | 2026-02-04 | 5.5 | CVE-2026-25122 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89 https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0. | 2026-02-06 | 5.3 | CVE-2026-25123 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74 |
| Talishar--Talishar | Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4. | 2026-02-02 | 5.3 | CVE-2026-25144 | https://github.com/Talishar/Talishar/security/advisories/GHSA-rrr4-h2pc-57g6 https://github.com/Talishar/Talishar/commit/09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3. | 2026-02-04 | 5.5 | CVE-2026-25145 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9 https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4 |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City's server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0. | 2026-02-03 | 5.9 | CVE-2026-25151 | https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0. | 2026-02-03 | 5.9 | CVE-2026-25155 | https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8 https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75 |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3. | 2026-02-02 | 5 | CVE-2026-25228 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0. | 2026-02-03 | 5.3 | CVE-2026-25509 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966 https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653 |
| cert-manager--cert-manager | cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3. | 2026-02-04 | 5.9 | CVE-2026-25518 | https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv https://github.com/cert-manager/cert-manager/pull/8467 https://github.com/cert-manager/cert-manager/pull/8468 https://github.com/cert-manager/cert-manager/pull/8469 https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2 |
| OpenMage--magento-lts | Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1. | 2026-02-04 | 5.3 | CVE-2026-25523 | https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f https://hackerone.com/bugs?subject=openmage&report_id=3416312 |
| payloadcms--payload | Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0. | 2026-02-06 | 5.4 | CVE-2026-25574 | https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955 |
| samclarke--SCEditor | SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1. | 2026-02-06 | 5.4 | CVE-2026-25581 | https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8 https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d |
| PrestaShop--PrestaShop | PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3. | 2026-02-06 | 5.3 | CVE-2026-25597 | https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2 https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4 https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3 |
| Wing FTP Server--Wing FTP Server | Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization. | 2026-02-06 | 4.3 | CVE-2020-37079 | ExploitDB-48200 Wing FTP Server Official Homepage Wing FTP Server Version History VulnCheck Advisory: Wing FTP Server < 6.2.7 - Cross-site Request Forgery |
| Openeclass--GUnet OpenEclass | GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can retrieve system info, version info, and view or download other users' files without proper authorization. | 2026-02-03 | 4.3 | CVE-2020-37114 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - Information Disclosure |
| HRSALE--HRSALE | HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges. | 2026-02-05 | 4.3 | CVE-2020-37145 | ExploitDB-48205 Archived Product Webpage VulnCheck Advisory: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin) |
| IBM--Operations Analytics - Log Analysis | IBM Operations Analytics - Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics - Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions. | 2026-02-04 | 4.3 | CVE-2024-40685 | https://www.ibm.com/support/pages/node/7256429 |
| metagauss--ProfileGrid User Profiles, Groups and Communities | The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action. | 2026-02-05 | 4.3 | CVE-2025-13416 | https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail= |
| Tanium--Patch | Tanium addressed an improper access controls vulnerability in Patch. | 2026-02-05 | 4.3 | CVE-2025-15326 | TAN-2025-006 |
| Tanium--Deploy | Tanium addressed an improper access controls vulnerability in Deploy. | 2026-02-05 | 4.3 | CVE-2025-15327 | TAN-2025-006 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.9 | CVE-2025-15329 | TAN-2025-019 |
| Tanium--Connect | Tanium addressed an uncontrolled resource consumption vulnerability in Connect. | 2026-02-05 | 4.3 | CVE-2025-15331 | TAN-2025-015 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.9 | CVE-2025-15332 | TAN-2025-020 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15333 | TAN-2025-025 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15334 | TAN-2025-026 |
| Tanium--Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15335 | TAN-2025-027 |
| Tanium--Reputation | Tanium addressed an improper access controls vulnerability in Reputation. | 2026-02-05 | 4.3 | CVE-2025-15342 | TAN-2025-030 |
| IBM--Jazz Foundation | IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability. | 2026-02-02 | 4.3 | CVE-2025-15395 | https://www.ibm.com/support/pages/node/7258304 |
| simonfairbairn--The Bucketlister | The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items. | 2026-02-07 | 4.3 | CVE-2025-15476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc9e6374-8f9e-4c60-a86b-46cd4122abf9?source=cve https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L185 |
| qriouslad--Code Explorer | The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-02-04 | 4.9 | CVE-2025-15487 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fad8ad54-56eb-40fa-a357-77b7d656d378?source=cve https://plugins.trac.wordpress.org/browser/code-explorer/tags/1.4.6/admin/class-code-explorer-admin.php#L211 |
| HCL--AION | A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system. This issue affects AION: 2.0 | 2026-02-03 | 4.5 | CVE-2025-52626 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0. | 2026-02-03 | 4.6 | CVE-2025-52628 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A--Moodle[.]org | A flaw was found in Moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure. | 2026-02-03 | 4.3 | CVE-2025-67857 | https://access.redhat.com/security/cve/CVE-2025-67857 RHBZ#2423868 https://moodle.org/mod/forum/discuss.php?d=471307 |
| Red Hat--Red Hat Ansible Automation Platform 2 | A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs. | 2026-02-06 | 4.2 | CVE-2026-0598 | https://access.redhat.com/security/cve/CVE-2026-0598 RHBZ#2427094 |
| rtddev--Extended Random Number Generator | The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-02-04 | 4.4 | CVE-2026-0681 | https://www.wordfence.com/threat-intel/vulnerabilities/id/575c3329-8dbb-4d15-8e11-a86a01b96f50?source=cve https://plugins.trac.wordpress.org/browser/extended-random-number-generator/trunk/random_number_generator.php#L187 https://plugins.trac.wordpress.org/browser/extended-random-number-generator/tags/1.1/random_number_generator.php#L187 |
| orenhav--WP Content Permission | The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-04 | 4.4 | CVE-2026-0743 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74 https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74 |
| gtlwpdev--All push notification for WP | The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 4.9 | CVE-2026-0816 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc1f36b1-cf28-472c-8a7a-f091ecb48c2d?source=cve https://plugins.trac.wordpress.org/browser/all-push-notification/tags/1.5.3/pushnotification-admin/class-pushnotification-admin.php#L95 https://plugins.trac.wordpress.org/browser/all-push-notification/trunk/pushnotification-admin/class-pushnotification-admin.php#L95 |
| arkapravamajumder--TITLE ANIMATOR | The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-02-07 | 4.3 | CVE-2026-1082 | https://www.wordfence.com/threat-intel/vulnerabilities/id/98736b9d-3e0a-40c0-900a-fbbaaac07958?source=cve https://plugins.trac.wordpress.org/browser/title-animator/trunk/inc/settings-page.php#L5 https://plugins.trac.wordpress.org/browser/title-animator/tags/1.0/inc/settings-page.php#L5 |
| bplugins--Timeline Block Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) | The Timeline Block - Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the 'timeline_block' shortcode. | 2026-02-06 | 4.3 | CVE-2026-1228 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cecebfd0-c2af-4150-8793-299cdbeaa7b9?source=cve https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block |
| shortpixel--ShortPixel Image Optimizer Optimize Images, Convert WebP & AVIF | The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. | 2026-02-05 | 4.9 | CVE-2026-1246 | https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309 https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686 https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449706%40shortpixel-image-optimiser&new=3449706%40shortpixel-image-optimiser&sfp_email=&sfph_mail= |
| comprassibs--SIBS woocommerce payment gateway | The SIBS woocommerce payment gateway plugin for WordPress is vulnerable to time-based SQL Injection via the 'referencedId' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 4.9 | CVE-2026-1370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eac8e81c-2f6f-4a4a-9678-f5d75f4954ae?source=cve https://plugins.trac.wordpress.org/browser/sibs-woocommerce/tags/2.2.0/class-sibs-payment-gateway.php#L1855 |
| n/a--iomad | A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue. | 2026-02-05 | 4.7 | CVE-2026-1517 | VDB-344487 | iomad Company Admin Block sql injection VDB-344487 | CTI Indicators (IOB, IOC, TTP) https://github.com/iomad/iomad/issues/2559 https://github.com/iomad/iomad/issues/2559#issuecomment-3841174677 https://github.com/iomad/iomad/ |
| Yealink--MeetingBar A30 | A weakness has been identified in Yealink MeetingBar A30 133.321.0.3. This issue affects some unknown processing of the component Diagnostic Handler. This manipulation causes command injection. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 4.3 | CVE-2026-1735 | VDB-343634 | Yealink MeetingBar A30 Diagnostic command injection VDB-343634 | CTI Indicators (IOB, IOC, TTP) Submit #736622 | Yealink MeetingBar A30 133.321.0.3 Command Injection https://drive.google.com/file/d/1Uf46ihr8UmeXsFfkcvAeOtF1TkvGjozy/view?usp=sharing |
| EFM--ipTIME A8004T | A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 4.7 | CVE-2026-1742 | VDB-343641 | EFM ipTIME A8004T VPN Service timepro.cgi commit_vpncli_file_upload unrestricted upload VDB-343641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741450 | EFM IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary File Upload https://github.com/LX-LX88/cve/issues/29 |
| SourceCodester--Medical Certificate Generator App | A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-02-02 | 4.3 | CVE-2026-1745 | VDB-343676 | SourceCodester Medical Certificate Generator App cross-site request forgery VDB-343676 | CTI Indicators (IOB, IOC) Submit #742653 | SourceCodester Medical Certificate Generator App 1.0 Cross-Site Request Forgery https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion#proof-of-concept-csrf-exploit https://www.sourcecodester.com/ |
| codesnippetspro--Code Snippets | The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page. | 2026-02-06 | 4.3 | CVE-2026-1785 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4a5787f3-6a16-491a-aa01-6222f275cf0f?source=cve https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/class-cloud-search-list-table.php#L105 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/class-cloud-search-list-table.php#L105 https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/list-table-shared-ops.php#L57 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/list-table-shared-ops.php#L57 https://github.com/codesnippetspro/code-snippets/pull/331/changes |
| lcg0124--BootDo | A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | 2026-02-04 | 4.3 | CVE-2026-1835 | VDB-344028 | lcg0124 BootDo cross-site request forgery VDB-344028 | CTI Indicators (IOB, IOC) Submit #742484 | BootDo Web V1.0 CSRF https://github.com/webzzaa/CVE-/issues/6 |
| n/a--ZenTao | A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model. Php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-04 | 4.7 | CVE-2026-1884 | VDB-344264 | ZenTao Webhook model.php fetchHook server-side request forgery VDB-344264 | CTI Indicators (IOB, IOC, IOA) Submit #742633 | Zentao PMS <=21.7.6-85642 SSRF https://github.com/ez-lbz/ez-lbz.github.io/issues/9 https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574 |
| n/a--WeKan | A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. | 2026-02-05 | 4.3 | CVE-2026-1897 | VDB-344269 | WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization VDB-344269 | CTI Indicators (IOB, IOC, IOA) Submit #742671 | Wekan <8.21 Missing authorization checks leading to information disclosure a https://github.com/wekan/wekan/commit/55576ec17722db094835470b386162c9a662fb60 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| wpsoul--Greenshift animation and page builder blocks | The Greenshift - animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys. | 2026-02-05 | 4.3 | CVE-2026-1927 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2128db-ca9f-4211-8bc5-01a2cc1cba64?source=cve https://plugins.trac.wordpress.org/changeset/3441535/greenshift-animation-and-page-builder-blocks/trunk/init.php |
| n/a--WeKan | A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component. | 2026-02-05 | 4.3 | CVE-2026-1964 | VDB-344486 | WeKan REST Endpoint boards.js BoardTitleRESTBleed access control VDB-344486 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742680 | Wekan <8.21 Improper access control in REST endpoint (CWE-284) https://github.com/wekan/wekan/commit/545566f5663545d16174e0f2399f231aa693ab6e https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| DCN--DCME-320 | A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 4.7 | CVE-2026-2000 | VDB-344548 | DCN DCME-320 Web Management Backend bridge_cfg.php apply_config command injection VDB-344548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743455 | 北京神州数码云科信息技术有限公司 Dcme320 latest Command Injection https://github.com/physicszq/Routers/tree/main/Dcme |
| Cisco--Cisco Secure Web Appliance | A vulnerability in the Dynamic Vectoring and Streaming (DVS) Engine implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass the anti-malware scanner, allowing malicious archive files to be downloaded. This vulnerability is due to improper handling of certain archive files. An attacker could exploit this vulnerability by sending a crafted archive file, which should be blocked, through an affected device. A successful exploit could allow the attacker to bypass the anti-malware scanner and download malware onto an end user workstation. The downloaded malware will not automatically execute unless the end user extracts and launches the malicious file. | 2026-02-04 | 4 | CVE-2026-20056 | cisco-sa-wsa-archive-bypass-Scx2e8zF |
| Sanluan--PublicCMS | A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue. | 2026-02-06 | 4.2 | CVE-2026-2010 | VDB-344592 | Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization VDB-344592 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743487 | PublicCMS 5 Improper Access Controls https://github.com/sanluan/PublicCMS/issues/108 https://github.com/sanluan/PublicCMS/issues/108#issue-3838143772 https://github.com/sanluan/PublicCMS/commit/7329437e1288540336b1c66c114ed3363adcba02 https://github.com/sanluan/PublicCMS/ |
| Cisco--Cisco Prime Infrastructure | A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | 2026-02-04 | 4.8 | CVE-2026-20111 | cisco-sa-pi-xss-bYeVKCD |
| Cisco--Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in the HTTP request. An attacker could exploit this vulnerability by intercepting and modifying an HTTP request from a user. A successful exploit could allow the attacker to redirect the user to a malicious web page. | 2026-02-04 | 4.3 | CVE-2026-20123 | cisco-sa-epnm-pi-redirect-6sX82dN |
| D-Link--DIR-823X | A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-06 | 4.7 | CVE-2026-2061 | VDB-344621 | D-Link DIR-823X set_ipv6 sub_424D20 os command injection VDB-344621 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744286 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/20 https://www.dlink.com/ |
| D-Link--DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-06 | 4.7 | CVE-2026-2063 | VDB-344623 | D-Link DIR-823X Web Management set_ac_server os command injection VDB-344623 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744720 | dlink DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/19 https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 4.7 | CVE-2026-2081 | VDB-344648 | D-Link DIR-823X set_password os command injection VDB-344648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745553 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/22 https://github.com/master-abc/cve/issues/22#issue-3847400767 https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-02-07 | 4.7 | CVE-2026-2082 | VDB-344649 | D-Link DIR-823X set_mac_clone os command injection VDB-344649 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745854 | dlink DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/21 https://github.com/master-abc/cve/issues/21#issue-3847172823 https://www.dlink.com/ |
| n/a--JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this issue is some unknown functionality of the file /airag/knowledge/doc/edit of the component Retrieval-Augmented Generation Module. Executing a manipulation of the argument filePath can lead to path traversal. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 4.3 | CVE-2026-2111 | VDB-344687 | JeecgBoot Retrieval-Augmented Generation edit path traversal VDB-344687 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746789 | jeecgboot 3.9.0 Absolute Path Traversal https://www.yuque.com/la12138/vxbwk9/ezodz20a26g36y8m |
| PHPGurukul--Hospital Management System | A security vulnerability has been detected in PHPGurukul Hospital Management System 4.0. The affected element is an unknown function of the file /hms/admin/manage-doctors.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 4.7 | CVE-2026-2134 | VDB-344769 | PHPGurukul Hospital Management System manage-doctors.php sql injection VDB-344769 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747214 | PHPGurukul Hospital Management System 4.0 SQL Injection https://github.com/Shaon-Xis/PHPGurukul-HMS-SQL-Injection https://phpgurukul.com/ |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-02-08 | 4.3 | CVE-2026-2149 | VDB-344851 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System appointments.php cross site scripting VDB-344851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747920 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-appointments-XSS.md |
| SourceCodester--Patients Waiting Area Queue Management System | A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-02-08 | 4.3 | CVE-2026-2150 | VDB-344852 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System checkin.php cross site scripting VDB-344852 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747921 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-checkin-php-XSS.md |
| mwielgoszewski--doorman | A vulnerability was determined in mwielgoszewski doorman up to 0.6. This issue affects the function is_safe_url of the file doorman/users/views.py. Executing a manipulation of the argument Next can lead to open redirect. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.3 | CVE-2026-2153 | VDB-344855 | mwielgoszewski doorman views.py is_safe_url redirect VDB-344855 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748072 | https://github.com/mwielgoszewski/doorman doorman Latest Version (commit 9a9b97c8) Open Redirect https://gist.github.com/RacerZ-fighting/39f230feb0e450ae54f0a80c63c5d924 |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-02-08 | 4.3 | CVE-2026-2154 | VDB-344856 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System Patient Registration registration.php cross site scripting VDB-344856 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748208 | SourceCodester Patients Waiting Area Queue Management System 1 Cross Site Scripting https://medium.com/@rvpipalwa/stored-cross-site-scripting-xss-vulnerability-report-c97788dd6ea6 |
| SourceCodester--Simple Responsive Tourism Website | A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 4.3 | CVE-2026-2159 | VDB-344861 | SourceCodester Simple Responsive Tourism Website Registration Master.php cross site scripting VDB-344861 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #750995 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting https://github.com/CH0ico/CVE_choco_5/blob/main/report.md https://www.sourcecodester.com/ |
| SourceCodester--Simple Responsive Tourism Website | A vulnerability has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Master.php?f=save_package. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 4.3 | CVE-2026-2160 | VDB-344862 | SourceCodester Simple Responsive Tourism Website Master.php cross site scripting VDB-344862 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751016 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting https://github.com/CH0ico/CVE_choco_6/blob/main/report.md https://www.sourcecodester.com/ |
| itsourcecode--News Portal Project | A vulnerability was determined in itsourcecode News Portal Project 1.0. This affects an unknown part of the file /admin/aboutus.php. This manipulation of the argument pagetitle causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.7 | CVE-2026-2162 | VDB-344864 | itsourcecode News Portal Project aboutus.php sql injection VDB-344864 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751083 | itsourcecode News Portal Project V1.0 SQL Injection https://github.com/Wzl731/test/issues/2 https://itsourcecode.com/ |
| D-Link--DIR-600 | A vulnerability was identified in D-Link DIR-600 up to 2.15WWb02. This vulnerability affects unknown code of the file ssdp.cgi. Such manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 4.7 | CVE-2026-2163 | VDB-344865 | D-Link DIR-600 ssdp.cgi command injection VDB-344865 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751764 | D-Link D-Link DIR-600 v2.15WWb02 Remote Arbitrary Command Execution https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md#poc https://www.dlink.com/ |
| PHPGurukul--Hospital Management System | A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.7 | CVE-2026-2179 | VDB-344882 | PHPGurukul Hospital Management System manage-users.php sql injection VDB-344882 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749592 | PHPGurukul Hospital Management System 4.0 SQL Injection https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main#4-proof-of-concept-reproduction-steps https://phpgurukul.com/ |
| n/a--WeKan | A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised. | 2026-02-08 | 4.3 | CVE-2026-2205 | VDB-344919 | WeKan Meteor Publication cards.js CardPubSubBleed information disclosure VDB-344919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752161 | Wekan <8.21 Information disclosure via publish/subscribe authorization bug https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a--WeKan | A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded. | 2026-02-08 | 4.3 | CVE-2026-2208 | VDB-344922 | WeKan Rules rules.js RulesBleed authorization VDB-344922 | CTI Indicators (IOB, IOC, IOA) Submit #752164 | Wekan <8.21 Information disclosure / missing authorization on admin publicat https://github.com/wekan/wekan/commit/a787bcddf33ca28afb13ff5ea9a4cb92dceac005 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5. | 2026-02-04 | 4.1 | CVE-2026-22247 | https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x https://github.com/glpi-project/glpi/releases/tag/11.0.5 |
| F5--F5 BIG-IP Container Ingress Services | A vulnerability exists in F5 BIG-IP Container Ingress Services that may allow excessive permissions to read cluster secrets. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 4.9 | CVE-2026-22549 | https://my.f5.com/manage/s/article/K000157960 |
| rizinorg--rizin | Rizin is a UNIX-like reverse engineering framework and command-line toolset. Prior to 0.8.2, a heap overflow can be exploited when a malicious mach0 file, having bogus entries for the dyld chained segments, is parsed by rizin. This vulnerability is fixed in 0.8.2. | 2026-02-02 | 4.4 | CVE-2026-22780 | https://github.com/rizinorg/rizin/security/advisories/GHSA-f3v7-xhmj-9cjj https://github.com/rizinorg/rizin/issues/5768 https://github.com/rizinorg/rizin/pull/5770 https://github.com/rizinorg/rizin/commit/41ea75d5b07d9b41b27ae80675cdda65f1b1c989 https://github.com/rizinorg/rizin/blob/6dd0dba9ff4dc706f549d0cdcd93856b49e59aa0/librz/bin/format/mach0/mach0_chained_fixups.c#L200 https://github.com/rizinorg/rizin/releases/tag/v0.8.2 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions . | 2026-02-04 | 4.3 | CVE-2026-23624 | https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477 https://github.com/glpi-project/glpi/releases/tag/10.0.23 https://github.com/glpi-project/glpi/releases/tag/11.0.5 |
| Enalean--tuleap | Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9. | 2026-02-02 | 4.6 | CVE-2026-24007 | https://github.com/Enalean/tuleap/security/advisories/GHSA-7g48-rwqj-ffxw https://github.com/Enalean/tuleap/commit/5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5 https://tuleap.net/plugins/tracker/?aid=46389 |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application's built-in decompression functionality. This issue has been patched in version 4.2. | 2026-02-03 | 4.3 | CVE-2026-24673 | https://github.com/gunet/openeclass/security/advisories/GHSA-3g4j-56gp-v6wv |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2. | 2026-02-03 | 4.7 | CVE-2026-24674 | https://github.com/gunet/openeclass/security/advisories/GHSA-gqvp-w22w-w99r |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by directly accessing a crafted URL. This issue has been patched in version 4.2. | 2026-02-03 | 4.3 | CVE-2026-24774 | https://github.com/gunet/openeclass/security/advisories/GHSA-rv2x-4rc8-93jh |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2. | 2026-02-06 | 4.3 | CVE-2026-24776 | https://github.com/opf/openproject/security/advisories/GHSA-p9v8-w9ph-hqmf https://github.com/opf/openproject/releases/tag/v17.0.2 |
| Huawei--HarmonyOS | Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 4 | CVE-2026-24914 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei--HarmonyOS | Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2026-02-06 | 4.8 | CVE-2026-24921 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Blesta--Blesta | Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. | 2026-02-03 | 4.7 | CVE-2026-25616 | https://www.blesta.com/2026/01/28/security-advisory/ |
| hedgedoc--hedgedoc | HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6. | 2026-02-06 | 4.3 | CVE-2026-25642 | https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137 https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6 |
| siyuan-note--siyuan | Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session. | 2026-02-06 | 4.6 | CVE-2026-25647 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| P5--FNIP-8x16A | P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted page. | 2026-02-05 | 3.5 | CVE-2020-37118 | Zero Science Lab Disclosure (ZSL-2020-5564) ExploitDB-48362 Packet Storm Entry IBM X-Force Vulnerability Report P5 Vendor Homepage VulnCheck Advisory: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) |
| P5--FNIP-8x16A | P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html. | 2026-02-05 | 3.5 | CVE-2020-37148 | Zero Science Lab Disclosure (ZSL-2020-5564) ExploitDB-48362 Packet Storm Entry IBM X-Force Vulnerability Report P5 Vendor Homepage VulnCheck Advisory: P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS) |
| Tanium--Interact | Tanium addressed an improper access controls vulnerability in Interact. | 2026-02-05 | 3.1 | CVE-2025-15289 | TAN-2025-033 |
| Tanium--Tanium Client | Tanium addressed a denial of service vulnerability in Tanium Client. | 2026-02-06 | 3.3 | CVE-2025-15320 | TAN-2025-023 |
| Tanium--Tanium Appliance | Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. | 2026-02-05 | 3.7 | CVE-2025-15323 | TAN-2025-031 |
| n/a--Mapnik | A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 3.3 | CVE-2025-15564 | VDB-344502 | Mapnik value.cpp operator divide by zero VDB-344502 | CTI Indicators (IOB, IOC, IOA) Submit #743386 | mapnik Mapnik v4.2.0 and master branch Divide By Zero https://github.com/mapnik/mapnik/issues/4545 https://github.com/oneafter/1219/blob/main/repro https://github.com/mapnik/mapnik/ |
| IBM--Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the host network to cause a denial of service using specially crafted SQL query that consumes excess memory resources. | 2026-02-04 | 3.5 | CVE-2025-1823 | https://www.ibm.com/support/pages/node/7258083 |
| IBM--Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the network to affect the system's performance using complicated queries due to insufficient resource pooling. | 2026-02-04 | 3.5 | CVE-2025-2134 | https://www.ibm.com/support/pages/node/7258083 |
| IBM--Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the host network to obtain sensitive information about other projects that reside on the server. | 2026-02-04 | 3.5 | CVE-2025-27550 | https://www.ibm.com/support/pages/node/7258083 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user. | 2026-02-03 | 3.3 | CVE-2025-33081 | https://www.ibm.com/support/pages/node/7257565 |
| HCL--AION | HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52623 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is susceptible to Missing Content-Security-Policy. An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52629 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52631 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL--AION | HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0. | 2026-02-03 | 3.1 | CVE-2025-52633 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A--Moodle[.]org | A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure. | 2026-02-03 | 3.5 | CVE-2025-67852 | https://access.redhat.com/security/cve/CVE-2025-67852 RHBZ#2423844 |
| webpack--webpack | Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack's HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0. | 2026-02-05 | 3.7 | CVE-2025-68157 | https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758 |
| webpack--webpack | Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack's HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1. | 2026-02-05 | 3.7 | CVE-2025-68458 | https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x |
| DJI--Mavic Mini | A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 3.1 | CVE-2026-1743 | VDB-343674 | DJI Mavic Mini/Air/Spark/Mini SE Enhanced Wi-Fi Pairing authentication replay VDB-343674 | CTI Indicators (IOB, IOC, TTP) Submit #741323 | DJI DJI Mavic Mini, Spark, Mini SE 01.00.0500 and Below Authentication Bypass by Capture-replay https://github.com/ByteMe1001/DJI-CatNect https://github.com/ByteMe1001/DJI-CatNect/blob/main/exploit.c |
| GitLab--GitLab | A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions. | 2026-02-02 | 3.1 | CVE-2026-1751 | GitLab Issue #519340 HackerOne Bug Bounty Report #2980839 |
| Edimax--BR-6258n | A flaw has been found in Edimax BR-6258n up to 1.18. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup. This manipulation of the argument submit-url causes open redirect. The attack can be initiated remotely. The exploit has been published and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-05 | 3.5 | CVE-2026-1970 | VDB-344492 | Edimax BR-6258n formStaDrvSetup redirect VDB-344492 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742734 | Edimax BR-6258n v1.18 Open Redirect https://tzh00203.notion.site/EDIMAX-BR-6258n-v1-18-Open-Redirect-Vulnerability-in-Web-formStaDrvSetup-handler-2eeb5c52018a803bb958e4f80cdf2550?source=copy_link |
| n/a--oatpp | A security vulnerability has been detected in oatpp up to 1.3.1. This impacts the function oatpp::data::type::ObjectWrapper::ObjectWrapper of the file src/oatpp/data/type/Type.hpp. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 3.3 | CVE-2026-1990 | VDB-344508 | oatpp Type.hpp ObjectWrapper null pointer dereference VDB-344508 | CTI Indicators (IOB, IOC, IOA) Submit #743387 | oatpp 1.3.1 and master-branch NULL Pointer Dereference https://github.com/oatpp/oatpp/issues/1080 https://github.com/oatpp/oatpp/issues/1080#issue-3806715350 https://github.com/oatpp/oatpp/ |
| n/a--libuvc | A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 3.3 | CVE-2026-1991 | VDB-344509 | libuvc UVC Descriptor device.c uvc_scan_streaming null pointer dereference VDB-344509 | CTI Indicators (IOB, IOC, IOA) Submit #743388 | libuvc v0.0.7 and master-branch NULL Pointer Dereference https://github.com/libuvc/libuvc/issues/300 https://github.com/oneafter/0104/blob/main/repro https://github.com/libuvc/libuvc/ |
| n/a--micropython | A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue. | 2026-02-06 | 3.3 | CVE-2026-1998 | VDB-344546 | micropython runtime.c mp_import_all memory corruption VDB-344546 | CTI Indicators (IOB, IOC, IOA) Submit #743396 | micropython 0fd0843 Memory Corruption https://github.com/micropython/micropython/issues/18639 https://github.com/micropython/micropython/pull/18671 https://github.com/micropython/micropython/issues/18639#issue-3780651410 https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6 https://github.com/micropython/micropython/ |
| Portabilis--i-Educar | A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 3.5 | CVE-2026-2064 | VDB-344631 | Portabilis i-Educar User Data meusdadod.php cross site scripting VDB-344631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745108 | Portabilis i-Educar 2.10 Cross Site Scripting https://github.com/nmmorette/vulnerability-research/tree/main/XSS-Idiario |
| ggml-org--llama.cpp | A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted is the function llama_grammar_advance_stack of the file llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. This manipulation causes stack-based buffer overflow. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 18993. To fix this issue, it is recommended to deploy a patch. | 2026-02-06 | 3.3 | CVE-2026-2069 | VDB-344636 | ggml-org llama.cpp GBNF Grammar llama-grammar.cpp llama_grammar_advance_stack stack-based overflow VDB-344636 | CTI Indicators (IOB, IOC, IOA) Submit #745263 | llama.cpp commit 55abc39 Stack-based Buffer Overflow https://github.com/ggml-org/llama.cpp/issues/18988 https://github.com/ggml-org/llama.cpp/issues/18988#event-4426704865 https://github.com/user-attachments/files/24761101/poc.zip https://github.com/ggml-org/llama.cpp/pull/18993 https://github.com/ggml-org/llama.cpp/ |
| F5--BIG-IP Edge Client | A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 2026-02-04 | 3.3 | CVE-2026-20730 | https://my.f5.com/manage/s/article/K000158931 |
| F5--BIG-IP | A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 3.1 | CVE-2026-20732 | https://my.f5.com/manage/s/article/K000156644 |
| Tasin1025--SwiftBuy | A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 3.7 | CVE-2026-2110 | VDB-344686 | Tasin1025 SwiftBuy login.php excessive authentication VDB-344686 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746251 | Md Tasin Rahman Swiftbuy 1.0 Improper Restriction of Excessive Authentication Attempts https://www.websecurityinsights.my.id/2026/01/swiftbuy-v-10-loginphp-no-limit-to.html |
| cym1102--nginxWebUI | A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 3.5 | CVE-2026-2145 | VDB-344847 | cym1102 nginxWebUI Web Management check cross site scripting VDB-344847 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747404 | cym1102 nginxWebUI 4.3.7 Cross Site Scripting https://github.com/cym1102/nginxWebUI/issues/203 https://github.com/cym1102/nginxWebUI/issues/203#issue-3860109934 https://github.com/cym1102/nginxWebUI/ |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | 3.5 | CVE-2026-23738 | https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh |
| Kubernetes--ingress-nginx | A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component. | 2026-02-03 | 3.1 | CVE-2026-24513 | https://github.com/kubernetes/kubernetes/issues/136679 |
| fastify--fastify | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify's Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3. | 2026-02-03 | 3.7 | CVE-2026-25224 | https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37 https://hackerone.com/reports/3524779 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3. | 2026-02-06 | 3.5 | CVE-2026-25764 | https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp https://github.com/opf/openproject/releases/tag/v16.6.7 https://github.com/opf/openproject/releases/tag/v17.0.3 |
| Fortinet--FortiOS | Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option. | 2026-02-05 | 3.2 | CVE-2026-25815 | https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. | 2026-02-02 | 2.7 | CVE-2025-13881 | https://access.redhat.com/security/cve/CVE-2025-13881 RHBZ#2418330 |
| Tanium--Tanium Appliance | Tanium addressed an improper input validation vulnerability in Tanium Appliance. | 2026-02-05 | 2.7 | CVE-2025-15321 | TAN-2025-024 |
| IBM--PowerVM Hypervisor | IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 may expose a limited amount of data to a peer partition in specific shared processor configurations during certain operations. | 2026-02-02 | 2.8 | CVE-2025-36194 | https://www.ibm.com/support/pages/node/7257555 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak's CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. | 2026-02-02 | 2.7 | CVE-2026-1518 | https://access.redhat.com/security/cve/CVE-2026-1518 RHBZ#2433727 |
| D-Link--DSL-6641K | A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-02 | 2.4 | CVE-2026-1744 | VDB-343675 | D-Link DSL-6641K sp_pppoe_user.js doSubmitPPP cross site scripting VDB-343675 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742439 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130?source=copy_link https://www.dlink.com/ |
| Hillstone Networks--Operation and Maintenance Security Gateway | Unrestricted Upload of File with Dangerous Type vulnerability in Hillstone Networks Operation and Maintenance Security Gateway on Linux allows Upload a Web Shell to a Web Server. This issue affects Operation and Maintenance Security Gateway: V5.5ST00001B113. | 2026-02-04 | 2.7 | CVE-2026-1791 | https://www.hillstonenet.com.cn/security-notification/2025/12/08/wgscld/ |
| Edimax--BR-6288ACL | A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. Such manipulation of the argument manualssid leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 2.4 | CVE-2026-1971 | VDB-344493 | Edimax BR-6288ACL wiz_WISP24gmanual.asp wiz_WISP24gmanual cross site scripting VDB-344493 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743318 | Edimax BR6288ACL v1.12 Cross Site Scripting https://tzh00203.notion.site/EDIMAX-BR6288ACL-v1-12-XSS-via-wiz_WISP24gmanual-asp-Configuration-2eeb5c52018a802e8ed9f6d000f7a6aa?source=copy_link |
| code-projects--Online Student Management System | A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component Announcement Management Module. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 2.4 | CVE-2026-2156 | VDB-344858 | code-projects Online Student Management System Announcement Management index.php cross site scripting VDB-344858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748328 | code-projects Online Student Management System in PHP latest (no version specified by vendor) Cross-Site Scripting https://github.com/baguette168/CVE/issues/1 https://code-projects.org/ |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | 2 | CVE-2026-23739 | https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| wintercms--winter | Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-22254 | https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65 https://github.com/wintercms/winter/releases/tag/v1.2.10 |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | not yet calculated | CVE-2026-23740 | https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | not yet calculated | CVE-2026-23741 | https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3 |
| Arox--School ERP Pro | School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server. | 2026-02-03 | not yet calculated | CVE-2020-37084 | ExploitDB-48392 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 Admin Profile Photo Upload Remote Code Execution Vulnerability |
| Rubikon Teknoloji--Easy Transfer | Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions. Attackers can exploit improper input validation via POST requests to execute arbitrary JavaScript in the context of the mobile web application. | 2026-02-03 | not yet calculated | CVE-2020-37087 | ExploitDB-48395 Vulnerability-Lab Advisory Official App Store Product Page VulnCheck Advisory: Easy Transfer 1.7 for iOS - Persistent Cross-Site Scripting |
| PHP-Fusion--PHP-Fusion | PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site. | 2026-02-05 | not yet calculated | CVE-2020-37152 | Vendor Homepage ExploitDB-48299 VulnCheck Advisory: PHP-Fusion 9.03.50 panels.php - Cross-Site Scripting (XSS) |
| parisneo--parisneo/lollms-webui | A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation. | 2026-02-02 | not yet calculated | CVE-2024-2356 | https://huntr.com/bounties/cb9867b4-28e3-4406-9031-f66fc28553d4 https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25 |
| lunary-ai--lunary-ai/lunary | In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies. | 2026-02-02 | not yet calculated | CVE-2024-4147 | https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f |
| lunary-ai--lunary-ai/lunary | In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts. | 2026-02-02 | not yet calculated | CVE-2024-5386 | https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1 https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311 |
| h2oai--h2oai/h2o-3 | A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files. | 2026-02-02 | not yet calculated | CVE-2024-5986 | https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3 |
| Nokia--Infinera DNA | Infinera DNA is vulnerable to a time-based SQL injection vulnerability due to insufficient input validation, which may result in leaking of sensitive information. | 2026-02-05 | not yet calculated | CVE-2025-10258 | Nokia Product Security Advisory |
| mlflow--mlflow/mlflow | In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0. | 2026-02-02 | not yet calculated | CVE-2025-10279 | https://huntr.com/bounties/01d3b81e-13d1-43aa-b91a-443aec68bdc8 https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a |
| Wikimedia Foundation--OATHAuth | Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-11173 | https://phabricator.wikimedia.org/T401862 https://phabricator.wikimedia.org/T402094 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2. | 2026-02-03 | not yet calculated | CVE-2025-11261 | https://https://phabricator.wikimedia.org/T406322 https://phabricator.wikimedia.org/T402077 |
| Centralny Orodek Informatyki--mObywatel | In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0 | 2026-02-03 | not yet calculated | CVE-2025-11598 | https://info.mobywatel.gov.pl/ https://cert.pl/posts/2026/02/CVE-2025-11598 |
| silabs.com--Simplicity SDK | A truncated 802.15.4 packet can lead to an assert, resulting in a denial of service. | 2026-02-05 | not yet calculated | CVE-2025-12131 | https://community.silabs.com/068Vm00000g8dP3 |
| Brocade--SANnav | A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered during a migration and not in a new installation. The system audit logs are accessible only to a privileged user on the server. These audit logs are the local server VM's audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. | 2026-02-02 | not yet calculated | CVE-2025-12679 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36845 |
| Brocade--SANnav | Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password. | 2026-02-02 | not yet calculated | CVE-2025-12680 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844 |
| Brocade--SANnav | Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password. | 2026-02-02 | not yet calculated | CVE-2025-12772 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36846 |
| Brocade--SANnav | A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password. | 2026-02-03 | not yet calculated | CVE-2025-12773 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847 |
| Brocade--SANnav | A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords. | 2026-02-03 | not yet calculated | CVE-2025-12774 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848 |
| ASUS--ASUS Business Manager | An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrary files in a specified path. Refer to the "Security Update for ASUS Business Manager" section on the ASUS Security Advisory for more information. | 2026-02-02 | not yet calculated | CVE-2025-13348 | https://www.asus.com/security-advisory/ |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2025-13473 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| ESET spol s.r.o.--ESET Management Agent | Local privilege escalation vulnerability via insecure temporary batch file execution in ESET Management Agent | 2026-02-06 | not yet calculated | CVE-2025-13818 | https://support.eset.com/en/ca8913-eset-customer-advisory-local-privilege-escalation-via-insecure-temporary-batch-file-execution-in-eset-management-agent-for-windows-fixed |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2025-14550 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| Unknown--User Profile Builder | The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | 2026-02-02 | not yet calculated | CVE-2025-15030 | https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/ |
| Mitsubishi Electric Corporation--MELSEC iQ-R Series R08PCPU | Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product. | 2026-02-05 | not yet calculated | CVE-2025-15080 | https://jvn.jp/vu/JVNVU95093080/ https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-020_en.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-02 |
| Unknown--Library Viewer | The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2026-02-02 | not yet calculated | CVE-2025-15396 | https://wpscan.com/vulnerability/08790e11-019d-4680-a75f-ee0a937f8cc8/ |
| Unknown--Post Slides | The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | 2026-02-07 | not yet calculated | CVE-2025-15491 | https://wpscan.com/vulnerability/eb0424cc-e60c-44a5-aa24-cd1fe042b27a/ |
| TP-Link Systems Inc.--Archer MR200 v5.2 | The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge. | 2026-02-05 | not yet calculated | CVE-2025-15551 | https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware https://www.tp-link.com/us/support/faq/4948/ |
| notepad-plus-plus--notepad-plus-plus | Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user. | 2026-02-03 | not yet calculated | CVE-2025-15556 | https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification |
| TP-Link Systems Inc.--Tapo H100 v1 | An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. | 2026-02-05 | not yet calculated | CVE-2025-15557 | https://www.tp-link.com/us/support/download/tapo-h100/ https://www.tp-link.com/us/support/download/tapo-p100/ https://www.tp-link.com/en/support/download/tapo-h100/ https://www.tp-link.com/en/support/download/tapo-p100/ https://www.tp-link.com/us/support/faq/4949/ |
| Go standard library--os | It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. | 2026-02-04 | not yet calculated | CVE-2025-22873 | https://go.dev/cl/670036 https://go.dev/issue/73555 https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ https://pkg.go.dev/vuln/GO-2026-4403 |
| Hancom Inc.--Hancom Office 2018 | Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Hancom Inc. Hancom Office 2018, Hancom Inc. Hancom Office 2020, Hancom Inc. Hancom Office 2022, Hancom Inc. Hancom Office 2024 allows File Content Injection. This issue affects Hancom Office 2018: before 10.0.0.12681; Hancom Office 2020: before 11.0.0.8916; Hancom Office 2022: before 12.0.0.4426; Hancom Office 2024: before 13.0.0.3050. | 2026-02-04 | not yet calculated | CVE-2025-29867 | https://www.boho.or.kr/kr/bbs/view.do?searchCnd=&bbsId=B0000302&searchWrd=&menuNo=205023&pageIndex=1&categoryCode=&nttId=71959 https://www.hancom.com/support/downloadCenter/download |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.32, there is a DoS vulnerability in ReadRSSFeedBlock. In RSSBlock, feedparser.parser is called to obtain the XML file according to the URL input by the user, parse the XML, and finally obtain the parsed result. However, during the parsing process, there is no limit on the parsing time and the resources that can be allocated for parsing. When a malicious user lets RSSBlock parse a carefully constructed, deep XML, it will cause memory resources to be exhausted, eventually causing DoS. This issue has been patched in autogpt-platform-beta-v0.6.32. | 2026-02-05 | not yet calculated | CVE-2025-32393 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-5cqw-g779-9f9x https://github.com/Significant-Gravitas/AutoGPT/commit/57a06f70883ce6be18738c6ae8bb41085c71e266 |
| Luna Imaging--LUNA | Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-02-03 | not yet calculated | CVE-2025-41065 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging |
| Apidog--Apidog Web Platform | Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and executed in the context of any user accessing the compromised resource. | 2026-02-04 | not yet calculated | CVE-2025-41085 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-apidog-web-platform |
| n/a--Tinyfilemanager 2.6 | Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services. | 2026-02-03 | not yet calculated | CVE-2025-46651 | https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608 https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md |
| golang.org/x/net--golang.org/x/net/html | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | 2026-02-05 | not yet calculated | CVE-2025-47911 | https://go.dev/cl/709876 https://github.com/golang/vulndb/issues/4440 https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c https://pkg.go.dev/vuln/GO-2026-4440 |
| n/a--Beijing YouDataSum Tech | YouDataSum CPAS Audit Management System <=v4.9 is vulnerable to SQL Injection in /cpasList/findArchiveReportByDah due to insufficient input validation. This allows remote unauthenticated attackers to execute arbitrary SQL commands via crafted input to the parameter. Successful exploitation could lead to unauthorized data access | 2026-02-03 | not yet calculated | CVE-2025-57529 | https://github.com/songqb-xx/CPAS-bug https://github.com/songqb-xx/CVE-2025-57529/blob/main/README.md |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-58077 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| golang.org/x/net--golang.org/x/net/html | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | 2026-02-05 | not yet calculated | CVE-2025-58190 | https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c https://github.com/golang/vulndb/issues/4441 https://go.dev/cl/709875 https://pkg.go.dev/vuln/GO-2026-4441 |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_delts write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58340 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58340/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_cert_disable_ht_vht write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58341 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58341/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/uapsd write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58342 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58342/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/create_tspec write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58343 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58343/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation in a /proc/driver/unifi0/conn_log_event_burst_to_us write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58344 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58344/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_certif_11ax_mode write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58345 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58345/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_addts write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58346 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58346/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/p2p_certif write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58347 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58347/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/confg_tspec write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58348 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58348 |
| Brocade--Fabric OS | Brocade Fabric OS before 9.2.1 has a vulnerability that could allow a local authenticated attacker to reveal command line passwords using commands that may expose higher privilege sensitive information by a lower privileged user. | 2026-02-03 | not yet calculated | CVE-2025-58379 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36850 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1 could allow an authenticated attacker with admin privileges using the shell command "grep" to modify the path variables and move upwards in the directory structure or to traverse to different directories. | 2026-02-03 | not yet calculated | CVE-2025-58380 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36854 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands "source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories. | 2026-02-03 | not yet calculated | CVE-2025-58381 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36853 |
| Brocade--Fabric OS | A vulnerability in the secure configuration of authentication and management services in Brocade Fabric OS before Fabric OS 9.2.1c2 could allow an authenticated, remote attacker with administrative credentials to execute arbitrary commands as root using "supportsave", "seccertmgmt", "configupload" command. | 2026-02-03 | not yet calculated | CVE-2025-58382 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36849 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS versions before 9.2.1c2 could allow an administrator-level user to execute the bind command, to escalate privileges and bypass security controls allowing the execution of arbitrary commands. | 2026-02-03 | not yet calculated | CVE-2025-58383 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36878 |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-58455 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| Semiconductor[.]Samsung[.]com--Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of Improper Handling of Exceptional Conditions. | 2026-02-03 | not yet calculated | CVE-2025-59439 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-59482 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine the write location in memory. By crafting a packet with a manipulated field offset, an attacker can redirect writes to arbitrary memory locations. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-59487 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| NICE--NICE Chat | HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft. | 2026-02-03 | not yet calculated | CVE-2025-59902 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-nice-chat |
| www[.]pchelpsoft[.]com--Avanquest Driver Updater v.9 | Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component. | 2026-02-03 | not yet calculated | CVE-2025-60865 | https://www.pchelpsoft.com/products/driver-updater/ https://github.com/parad0x1334/CVE-Disclosures/tree/50e5d2bf33b2926db2cb14d47d392b38ac619a41/Driver%20Updater%20-%20PCHelpsoft |
| n/a--MediaCrush | An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | 2026-02-03 | not yet calculated | CVE-2025-61506 | https://gist.github.com/pescada-dev/a046d36e8026bbaf1ee591c6dad0d7e6 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61634 | https://phabricator.wikimedia.org/T387478 |
| Wikimedia Foundation--ConfirmEdit | Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. | 2026-02-02 | not yet calculated | CVE-2025-61635 | https://phabricator.wikimedia.org/T355073 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61636 | https://phabricator.wikimedia.org/T394396 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61637 | https://phabricator.wikimedia.org/T394856 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. | 2026-02-02 | not yet calculated | CVE-2025-61638 | https://phabricator.wikimedia.org/T401099 |
| Wikimedia Foundation--MediaWiki | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61639 | https://phabricator.wikimedia.org/T280413 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61640 | https://phabricator.wikimedia.org/T402075 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61641 | https://phabricator.wikimedia.org/T298690 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61642 | https://phabricator.wikimedia.org/T402313 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61643 | https://phabricator.wikimedia.org/T403757 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca. | 2026-02-02 | not yet calculated | CVE-2025-61644 | https://phabricator.wikimedia.org/T403411 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61645 | https://phabricator.wikimedia.org/T403761 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61646 | https://phabricator.wikimedia.org/T398706 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4. | 2026-02-03 | not yet calculated | CVE-2025-61647 | https://phabricator.wikimedia.org/T399093 |
| Wikimedia Foundation--CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61648 | https://phabricator.wikimedia.org/T402077 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309. | 2026-02-03 | not yet calculated | CVE-2025-61649 | https://phabricator.wikimedia.org/T397396 |
| Wikimedia Foundation--CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from * before 795bf333272206a0189050d975e94b70eb7dc507. | 2026-02-03 | not yet calculated | CVE-2025-61650 | https://phabricator.wikimedia.org/T403289 |
| Wikimedia Foundation--CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js. This issue affects CheckUser: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61651 | https://phabricator.wikimedia.org/T403408 |
| Wikimedia Foundation--DiscussionTools | Vulnerability in Wikimedia Foundation DiscussionTools. This issue affects DiscussionTools: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61652 | https://phabricator.wikimedia.org/T397580 |
| Wikimedia Foundation--TextExtracts | Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61653 | https://phabricator.wikimedia.org/T397577 |
| Wikimedia Foundation--Thanks | Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php. This issue affects Thanks: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61654 | https://phabricator.wikimedia.org/T397497 https://nvd.nist.gov/vuln/detail/CVE-2025-62661 |
| Wikimedia Foundation--VisualEditor | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61655 | https://phabricator.wikimedia.org/T395858 |
| Wikimedia Foundation--VisualEditor | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61656 | https://phabricator.wikimedia.org/T397232 |
| Wikimedia Foundation--Vector | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js. This issue affects Vector: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61657 | https://phabricator.wikimedia.org/T398636 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php. This issue affects CheckUser: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61658 | https://phabricator.wikimedia.org/T404805 |
| Go toolchain--cmd/cgo | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | 2026-02-05 | not yet calculated | CVE-2025-61732 | https://go.dev/cl/734220 https://go.dev/issue/76697 https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://pkg.go.dev/vuln/GO-2026-4433 |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-61944 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-61983 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| run-llama--run-llama/llama_index | The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41. | 2026-02-02 | not yet calculated | CVE-2025-6208 | https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a https://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2 |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62404 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62405 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.--Archer AX53 v1.0 | SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62501 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage - specifically by tampering with the length field in readPropertySeq - are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi ons 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62599 | https://security-tracker.debian.org/tracker/CVE-2025-62599 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage - specifically by tampering with the length field in readBinaryPropertySeq - are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62600 | https://security-tracker.debian.org/tracker/CVE-2025-62600 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage - specifically by tampering with the `str_size` value read by `readString` (called from `readBinaryProperty`) - are modified, a 32-bit integer overflow can occur, causing `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62601 | https://security-tracker.debian.org/tracker/CVE-2025-62601 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with - specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter - the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62602 | https://security-tracker.debian.org/tracker/CVE-2025-62602 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62603 | https://security-tracker.debian.org/tracker/CVE-2025-62603 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in RSSFeedBlock, the third-party library urllib.request.urlopen is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. | 2026-02-04 | not yet calculated | CVE-2025-62615 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r55v-q5pc-j57f |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in SendDiscordFileBlock, the third-party library aiohttp.ClientSession().get is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. | 2026-02-04 | not yet calculated | CVE-2025-62616 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc |
| TP-Link Systems Inc.--Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62673 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62799 | https://security-tracker.debian.org/tracker/CVE-2025-62799 https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659 https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46 https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514 |
| Articentgroup--Zip Rar Extractor 1.3 | Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. | 2026-02-03 | not yet calculated | CVE-2025-63372 | https://articentgroup.com/zip-rar-extractor-tool/ |
| Shandong Kede Electronics--Water meter monitor v.1 | SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file. | 2026-02-03 | not yet calculated | CVE-2025-63624 | https://github.com/songqb-xx/Internet-of-Things-Smart-Water-Meter-Monitoring-Platform-Unauthorized-RCE |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with - specifically by ta mpering with the the `vecsize` value read by `readOctetVector` - a 32-bit integer overflow can occur, causing `std::vector ::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3 .3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-64098 | https://security-tracker.debian.org/tracker/CVE-2025-64098 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2025-64111 | https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs' 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim's username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim's 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2025-64175 | https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj |
| eProsima--Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue. | 2026-02-03 | not yet calculated | CVE-2025-64438 | https://security-tracker.debian.org/tracker/CVE-2025-64438 https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7 https://github.com/eProsima/Fast-DDS/commit/71da01b4aea4d937558984f2cf0089f5ba3c871f https://github.com/eProsima/Fast-DDS/commit/8ca016134dac20b6e30e42b7b73466ef7cdbc213 |
| decidim--decidim | Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0. | 2026-02-03 | not yet calculated | CVE-2025-65017 | https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp https://github.com/decidim/decidim/pull/13571 https://github.com/decidim/decidim/releases/tag/v0.30.4 https://github.com/decidim/decidim/releases/tag/v0.31.0 |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65077 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code. | 2026-02-03 | not yet calculated | CVE-2025-65078 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A heap-based buffer overflow vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65079 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65080 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65081 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0. | 2026-02-02 | not yet calculated | CVE-2025-6589 | https://phabricator.wikimedia.org/T391343 |
| Wikimedia Foundation--MediaWiki | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6590 | https://phabricator.wikimedia.org/T392746 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6591 | https://phabricator.wikimedia.org/T392276 |
| Wikimedia Foundation--AbuseFilter | Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects AbuseFilter: from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6592 | https://phabricator.wikimedia.org/T391218 |
| n/a--ERPNext | A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account. | 2026-02-03 | not yet calculated | CVE-2025-65923 | https://github.com/frappe/frappe_docker.git |
| n/a--ERPNext | ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function. | 2026-02-03 | not yet calculated | CVE-2025-65924 | https://github.com/frappe/frappe_docker.git |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6593 | https://phabricator.wikimedia.org/T396230 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6594 | https://phabricator.wikimedia.org/T395063 |
| Wikimedia Foundation--MultimediaViewer | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer. This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6595 | https://phabricator.wikimedia.org/T394863 |
| Wikimedia Foundation--Vector | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6596 | https://phabricator.wikimedia.org/T396685 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6597 | https://phabricator.wikimedia.org/T389009 |
| CyberArk--CyberArk Endpoint Agent v25.10.0 | CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task. | 2026-02-03 | not yet calculated | CVE-2025-66374 | https://www.cyberark.com/product-security/ https://www.cyberark.com/ca26-01 https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-whatsnew25-12.htm#Security |
| TOTOlink--A950RG Router | TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability in the setUrlFilterRules interface of /lib/cste_modules/firewall.so. The vulnerability occurs because the `url` parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code execution or denial of service. | 2026-02-03 | not yet calculated | CVE-2025-67186 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setUrlFliterRules-url-buffer.md |
| TOTOlink--A950RG Router | A stack-based buffer overflow vulnerability was identified in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The flaw exists in the setIpQosRules interface of /lib/cste_modules/firewall.so where the comment parameter is not properly validated for length. | 2026-02-03 | not yet calculated | CVE-2025-67187 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setIpQosRules-comment-buffer.md |
| TOTOlink--A950RG Router | A buffer overflow vulnerability exists in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The issue resides in the setRadvdCfg interface of the /lib/cste_modules/ipv6.so module. The function fails to properly validate the length of the user-controlled radvdinterfacename parameter, allowing remote attackers to trigger a stack buffer overflow. | 2026-02-03 | not yet calculated | CVE-2025-67188 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-ipv6-setRadvdCfg-radvdinterfacename-buffer.md |
| TOTOlink--A950RG Router | A buffer overflow vulnerability exists in the setParentalRules interface of TOTOLINK A950RG V4.1.2cu.5204_B20210112. The urlKeyword parameter is not properly validated, and the function concatenates multiple user-controlled fields into a fixed-size stack buffer without performing boundary checks. A remote attacker can exploit this flaw to cause denial of service or potentially achieve arbitrary code execution. | 2026-02-03 | not yet calculated | CVE-2025-67189 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setParentRules-urlKeyWord-buffer.md |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67475 | https://phabricator.wikimedia.org/T406664 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67476 | https://phabricator.wikimedia.org/T405859 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67477 | https://phabricator.wikimedia.org/T406639 |
| Wikimedia Foundation--CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-67478 | https://phabricator.wikimedia.org/T385403 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-67479 | https://phabricator.wikimedia.org/T407131 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67480 | https://phabricator.wikimedia.org/T401053 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67481 | https://phabricator.wikimedia.org/T251032 |
| Wikimedia Foundation--Scribunto | Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. | 2026-02-03 | not yet calculated | CVE-2025-67482 | https://phabricator.wikimedia.org/T408135 |
| Wikimedia Foundation--MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67483 | https://phabricator.wikimedia.org/T409226 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67484 | https://phabricator.wikimedia.org/T401995 |
| Go standard library--crypto/tls | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. | 2026-02-05 | not yet calculated | CVE-2025-68121 | https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://go.dev/cl/737700 https://go.dev/issue/77217 https://pkg.go.dev/vuln/GO-2026-4337 |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute. | 2026-02-05 | not yet calculated | CVE-2025-68643 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebMail-Stored-XSS-Vulnerability-CVE-2025-68643-_405.html |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. | 2026-02-05 | not yet calculated | CVE-2025-68721 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.html |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations. | 2026-02-05 | not yet calculated | CVE-2025-68722 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html |
| Axigen--Mail Server | Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions. | 2026-02-05 | not yet calculated | CVE-2025-68723 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Stored-XSS-Vulnerabilities-CVE-2025-68723-_408.html |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server. | 2026-02-06 | not yet calculated | CVE-2025-69212 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36 |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2025-69213 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter. | 2026-02-06 | not yet calculated | CVE-2025-69214 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2025-69215 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques. | 2026-02-06 | not yet calculated | CVE-2025-69216 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6 |
| Wikimedia Foundation--MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6927 | https://phabricator.wikimedia.org/T397595 |
| ORICO--NAS CD3510 | The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69429 | https://www.notion.so/ORICO-NAS-Incorrect-Symlink-Follow-2c36cf4e528a80b7bf0be4dcac758419?source=copy_link |
| Yottamaster NAS-- Symlink Follow | An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69430 | https://www.notion.so/Yottamaster-Incorrect-Symlink-Follow-2c36cf4e528a8001b37cdad4be7431f8?source=copy_link |
| ZSPACE--Q2C NAS | The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's directory mounted on the NAS using the Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69431 | https://www.notion.so/ZSPACE-Incorrect-Symlink-Follow-2c26cf4e528a8087ba14d9b1d31a5bb2?source=copy_link |
| Coto[.]com--Tarot, Astro & Healing v11.4 | An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | 2026-02-04 | not yet calculated | CVE-2025-69618 | https://secsys.fudan.edu.cn/ http://coto.com https://coto.world/ https://github.com/Secsys-FDU/AF_CVEs/issues/9 |
| Zipperapp[.]cafe24--Text Editor v1.6.2 | A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | 2026-02-05 | not yet calculated | CVE-2025-69619 | http://my.com https://secsys.fudan.edu.cn/ http://zipperapp.cafe24.com/ https://github.com/Secsys-FDU/AF_CVEs/issues/10 |
| n/a--Moo Chan Song v4.5.7 | A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | 2026-02-04 | not yet calculated | CVE-2025-69620 | https://secsys.fudan.edu.cn/ http://office.com http://www.ntoolslab.com/ https://github.com/Secsys-FDU/AF_CVEs/issues/11 |
| n/a--Comic Book Reader v1.0.95 | An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader v1.0.95 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | 2026-02-04 | not yet calculated | CVE-2025-69621 | https://secsys.fudan.edu.cn/ http://comic.com https://android-tools.ru/ https://github.com/Secsys-FDU/AF_CVEs/issues/12 |
| n/a--NetBox | NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages without proper escaping. This allows user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships, potentially enabling execution of arbitrary client-side code in the context of a privileged user. | 2026-02-03 | not yet calculated | CVE-2025-69848 | https://github.com/netbox-community/netbox |
| n/a--Quick Heal Security 23.0.0 | A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation. | 2026-02-03 | not yet calculated | CVE-2025-69875 | https://github.com/mertdas/QuickHealTotalSecurityPOC https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/ |
| n/a--Monstra CMS v3.0.4 | Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. | 2026-02-05 | not yet calculated | CVE-2025-69906 | https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation. | 2026-02-03 | not yet calculated | CVE-2025-69970 | https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access. | 2026-02-03 | not yet calculated | CVE-2025-69971 | https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. | 2026-02-03 | not yet calculated | CVE-2025-69981 | https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193 |
| n/a--FUXA v1.2.7 | FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise. | 2026-02-03 | not yet calculated | CVE-2025-69983 | https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js |
| n/a--ChestnutCMS v.1.5.8 | An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function | 2026-02-05 | not yet calculated | CVE-2025-70073 | https://github.com/liweiyi/ChestnutCMS/issues/8 |
| n/a--JEEWMS 1.0 | JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. | 2026-02-03 | not yet calculated | CVE-2025-70311 | https://gitee.com/erzhongxmu/JEEWMS |
| PPC (Belden)--2K05X router firmware v1.1.9_206 | A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. The Common Gateway Interface (CGI) component improperly handles user-supplied input, allowing a remote, unauthenticated attacker to inject arbitrary JavaScript that is persistently stored and executed when the affected interface is accessed. | 2026-02-04 | not yet calculated | CVE-2025-70545 | http://ppc.com https://github.com/jeyabalaji711/CVE-2025-70545 |
|
n/a--pdfminer.six
|
pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512. | 2026-02-03 | not yet calculated | CVE-2025-70559 | https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc https://github.com/advisories/GHSA-f83h-ghpp-7wcc |
| n/a--Boltz 2.0 | Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded. | 2026-02-03 | not yet calculated | CVE-2025-70560 | https://github.com/jwohlwend/boltz/issues/600 https://github.com/jwohlwend/boltz/blob/cb04aeccdd480fd4db707f0bbafde538397fa2ac/src/boltz/data/mol.py#L80 |
| n/a--chetans9 | chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database. | 2026-02-03 | not yet calculated | CVE-2025-70758 | https://github.com/chetans9/core-php-admin-panel https://github.com/chetans9/core-php-admin-panel/blob/master/includes/auth_validate.php https://github.com/XavLimSG/Vulnerability-Research/tree/main/CVE-2025-70758 |
| n/a--Microweber 2.0.19 | Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. | 2026-02-05 | not yet calculated | CVE-2025-70791 | https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f https://gist.github.com/TimRecktenwald/9615b9915a4cacda9f57bb57f13ab6d4 |
| n/a--n/a | Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. | 2026-02-05 | not yet calculated | CVE-2025-70792 | https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f https://gist.github.com/TimRecktenwald/f4b0d1edbb87e75c17c639ca0bacba57 |
| n/a--podinfo | Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). | 2026-02-03 | not yet calculated | CVE-2025-70849 | https://gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbea |
| n/a--Subrion CMS v4.2.1 | Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. | 2026-02-02 | not yet calculated | CVE-2025-70958 | https://github.com/emirhanyucell/Subrion-CMS-4.2.1/blob/main/subrion-cms-exploit.txt |
| n/a--Tendenci CMS v15.3.7 | A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 2026-02-02 | not yet calculated | CVE-2025-70959 | https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md |
| n/a--Tendenci CMS v15.3.7 | A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 2026-02-02 | not yet calculated | CVE-2025-70960 | https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md |
| n/a--Gophish | Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. | 2026-02-06 | not yet calculated | CVE-2025-70963 | https://github.com/gophish/gophish/issues/9366 |
| n/a--eladmin v2.7 | A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. | 2026-02-04 | not yet calculated | CVE-2025-70997 | https://github.com/elunez/eladmin https://github.com/fofo137/CVE/issues/1 |
| n/a--n/a | Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. The HTTP component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory. | 2026-02-04 | not yet calculated | CVE-2025-71031 | https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/denial-of-service-in-melon-c-library https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/cve-2025-71031-denial-of-service-in-melon-c-library |
| danny-avila--danny-avila/librechat | A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affects the latest version of the product. | 2026-02-02 | not yet calculated | CVE-2025-7105 | https://huntr.com/bounties/e44f0740-48bd-443b-8826-528e6afe9e34 https://github.com/danny-avila/librechat/commit/97a99985fa339db0a21ad63604e0bb8db4442ffc |
| n/a--Creativeitem Academy LMS 7.0 | Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, which only fixed XSS in query and sort_by parameters to the /academy/home/courses endpoint. | 2026-02-03 | not yet calculated | CVE-2025-71179 | https://codecanyon.net/item/academy-course-based-learning-management-system/22703468 https://creativeitem.com/products/academy-learning-management-system/ https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-71179.md |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ac97: fix a double free in snd_ac97_controller_register() If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup. Found by code review. | 2026-02-04 | not yet calculated | CVE-2025-71192 | https://git.kernel.org/stable/c/c80f9b3349a99a9d5b295f5bbc23f544c5995ad7 https://git.kernel.org/stable/c/21f8bc5179bed91c3f946adb5e55d717b891960c https://git.kernel.org/stable/c/fcc04c92cbb5497ce67c58dd2f0001bb87f40396 https://git.kernel.org/stable/c/cb73d37ac18bc1716690ff5255a0ef1952827e9e https://git.kernel.org/stable/c/830988b6cf197e6dcffdfe2008c5738e6c6c3c0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: ``` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 [...] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 [...] ``` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup. | 2026-02-04 | not yet calculated | CVE-2025-71193 | https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180 https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86 https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7 https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks. | 2026-02-04 | not yet calculated | CVE-2025-71194 | https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6 https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659 https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295 https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528 https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50 https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: xilinx: xdma: Fix regmap max_register The max_register field is assigned the size of the register memory region instead of the offset of the last register. The result is that reading from the regmap via debugfs can cause a segmentation fault: tail /sys/kernel/debug/regmap/xdma.1.auto/registers Unable to handle kernel paging request at virtual address ffff800082f70000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault [...] Call trace: regmap_mmio_read32le+0x10/0x30 _regmap_bus_reg_read+0x74/0xc0 _regmap_read+0x68/0x198 regmap_read+0x54/0x88 regmap_read_debugfs+0x140/0x380 regmap_map_read_file+0x30/0x48 full_proxy_read+0x68/0xc8 vfs_read+0xcc/0x310 ksys_read+0x7c/0x120 __arm64_sys_read+0x24/0x40 invoke_syscall.constprop.0+0x64/0x108 do_el0_svc+0xb0/0xd8 el0_svc+0x38/0x130 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- note: tail[1217] exited with irqs disabled note: tail[1217] exited with preempt_count 1 Segmentation fault | 2026-02-04 | not yet calculated | CVE-2025-71195 | https://git.kernel.org/stable/c/df8a131a41ff6202d47f59452735787f2b71dd2d https://git.kernel.org/stable/c/606ea969e78295407f4bf06aa0e272fe59897184 https://git.kernel.org/stable/c/5e7ad329d259cf5bed7530d6d2525bcf7cb487a1 https://git.kernel.org/stable/c/c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: stm32-usphyc: Fix off by one in probe() The "index" variable is used as an index into the usbphyc->phys[] array which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The "index" comes from the device tree so it's data that we trust and it's unlikely to be wrong, however it's obviously still worth fixing the bug. Change the > to >=. | 2026-02-04 | not yet calculated | CVE-2025-71196 | https://git.kernel.org/stable/c/a9eec890879731c280697fdf1c50699e905b2fa7 https://git.kernel.org/stable/c/fb9d513cdf1614bf0f0e785816afb1faae3f81af https://git.kernel.org/stable/c/c06f13876cbad702582cd67fc77356e5524d02cd https://git.kernel.org/stable/c/76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c https://git.kernel.org/stable/c/b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad https://git.kernel.org/stable/c/7c27eaf183563b86d815ff6e9cca0210b4cfa051 https://git.kernel.org/stable/c/cabd25b57216ddc132efbcc31f972baa03aad15a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. | 2026-02-04 | not yet calculated | CVE-2025-71197 | https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95 https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0 https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169 https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, indicating support for IIO events. However, event detection is not supported for all sensors, and if userspace tries to configure accelerometer wakeup events on a sensor device that does not support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL pointer when trying to write to the wakeup register. Define an additional struct iio_chan_spec array whose members have a NULL event_spec field, and use this array instead of st_lsm6dsx_acc_channels for sensors without event detection capability. | 2026-02-04 | not yet calculated | CVE-2025-71198 | https://git.kernel.org/stable/c/7673167fac9323110973a3300637adba7d45de3a https://git.kernel.org/stable/c/4d60ffcdedfe2cdb68a1cde19bb292bc67451629 https://git.kernel.org/stable/c/81ed6e42d6e555dd978c9dd5e3f7c20cb121221b https://git.kernel.org/stable/c/c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove. | 2026-02-04 | not yet calculated | CVE-2025-71199 | https://git.kernel.org/stable/c/4c83dd62595ee7b7c9298a4d19a256b6647e7240 https://git.kernel.org/stable/c/fdc8c835c637a3473878d1e7438c77ab8928af63 https://git.kernel.org/stable/c/919d176b05776c7ede79c36744c823a07d631617 https://git.kernel.org/stable/c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4 https://git.kernel.org/stable/c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe https://git.kernel.org/stable/c/d890234a91570542c228a20f132ce74f9fedd904 https://git.kernel.org/stable/c/dbdb442218cd9d613adeab31a88ac973f22c4873 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to "root" using the export option of seccertmgmt and seccryptocfg commands. | 2026-02-03 | not yet calculated | CVE-2025-9711 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36852 |
| Nokia--Nokia ONT | The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device. | 2026-02-02 | not yet calculated | CVE-2025-9974 | Nokia Security Advisory |
| Google--Android | In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-02-05 | not yet calculated | CVE-2026-0106 | https://source.android.com/security/bulletin/pixel/2026-02-01 |
| Brocade--Fabric OS | A vulnerability in Brocade Fabric OS could allow an authenticated, local attacker with privileges to access the Bash shell to access insecurely stored file contents including the history command. | 2026-02-03 | not yet calculated | CVE-2026-0383 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36851 |
| TYDAC AG--MAP+ | A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker. This issue was verified in MAP+: 3.4.0. | 2026-02-06 | not yet calculated | CVE-2026-0521 | https://www.tydac.ch/en/mapplus/ https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/ |
| huggingface--huggingface/text-generation-inference | A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentially crashing the host machine. The issue is resolved in version 3.3.7. | 2026-02-02 | not yet calculated | CVE-2026-0599 | https://huntr.com/bounties/1d3f2085-666c-4441-b265-22f6f7d8d9cd https://github.com/huggingface/text-generation-inference/commit/24ee40d143d8d046039f12f76940a85886cbe152 |
| TP-Link Systems Inc.--AXE75 | When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled. This allows VPN sessions without encryption, exposing data in transit and compromising confidentiality. | 2026-02-03 | not yet calculated | CVE-2026-0620 | https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/us/support/faq/4942/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-0630 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows an adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-0631 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| Unknown--Five Star Restaurant Reservations | The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks. | 2026-02-02 | not yet calculated | CVE-2026-0658 | https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/ |
| Moxa--UC-1200A Series | A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible. | 2026-02-05 | not yet calculated | CVE-2026-0714 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers |
| Moxa--UC-1200A Series | Moxa Arm-based industrial computers running Moxa Industrial Linux Secure use a device-unique bootloader password provided on the device. An attacker with physical access to the device could use this information to access the bootloader menu via a serial interface. Access to the bootloader menu does not allow full system takeover or privilege escalation. The bootloader enforces digital signature verification and only permits flashing of Moxa-signed images. As a result, an attacker cannot install malicious firmware or execute arbitrary code. The primary impact is limited to a potential temporary denial-of-service condition if a valid image is reflashed. Remote exploitation is not possible. | 2026-02-05 | not yet calculated | CVE-2026-0715 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers |
| Ercom--Cryptobox | On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator. | 2026-02-04 | not yet calculated | CVE-2026-0873 | https://info.cryptobox.com/doc/v4.40/4.40.en/ |
| Dr.Buho--BuhoCleaner | BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions. This issue affects BuhoCleaner: 1.15.2. | 2026-02-02 | not yet calculated | CVE-2026-0924 | https://fluidattacks.com/advisories/solstafir https://www.drbuho.com/buhocleaner https://www.drbuho.com/buhocleaner/download |
| Drupal--Group invite | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing. This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4. | 2026-02-04 | not yet calculated | CVE-2026-0944 | https://www.drupal.org/sa-contrib-2026-001 |
| Drupal--Role Delegation | Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation. This issue affects Role Delegation: from 1.3.0 before 1.5.0. | 2026-02-04 | not yet calculated | CVE-2026-0945 | https://www.drupal.org/sa-contrib-2026-002 |
| Drupal--AT Internet SmartTag | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS). This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1. | 2026-02-04 | not yet calculated | CVE-2026-0946 | https://www.drupal.org/sa-contrib-2026-003 |
| Drupal--AT Internet Piano Analytics | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS). This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1. | 2026-02-04 | not yet calculated | CVE-2026-0947 | https://www.drupal.org/sa-contrib-2026-004 |
| Drupal--Microsoft Entra ID SSO Login | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation. This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4. | 2026-02-04 | not yet calculated | CVE-2026-0948 | https://www.drupal.org/sa-contrib-2026-005 |
| parisneo--parisneo/lollms | A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service. | 2026-02-02 | not yet calculated | CVE-2026-1117 | https://huntr.com/bounties/d2846a7f-0140-4105-b1bb-5ef64ec8b829 https://github.com/parisneo/lollms/commit/36a5b513dfefe9c2913bf9b618457b4fea603e3b |
| ABC PRO SP. Z O.O.--EAP Legislator | EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup) where files will be extracted by the victim upon opening the file. This issue was fixed in version 2.25a. | 2026-02-02 | not yet calculated | CVE-2026-1186 | https://abcpro.pl/eap-legislator https://cert.pl/posts/2026/02/CVE-2026-1186 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1207 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| BeyondTrust--Privilege management for Windows | A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7. Under certain conditions, a local authenticated user with elevated privileges may be able to bypass the product's anti-tamper protections, which could allow access to protected application components and the ability to modify product configuration. | 2026-02-02 | not yet calculated | CVE-2026-1232 | https://www.beyondtrust.com/trust-center/security-advisories/bt26-01 https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0023100 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1285 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1287 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| o6 Automation GmbH--Open62541 | In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory. | 2026-02-05 | not yet calculated | CVE-2026-1301 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-03 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1312 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| neo4j--Enterprise Edition | Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337 | 2026-02-06 | not yet calculated | CVE-2026-1337 | https://github.com/JoakimBulow/CVE-2026-1337 |
| Avation--Avation Light Engine Pro | Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | 2026-02-03 | not yet calculated | CVE-2026-1341 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-02 |
| T-Systems--Buroweb | SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information. | 2026-02-03 | not yet calculated | CVE-2026-1432 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-sqli-buroweb-platform |
| PRIMION DIGITEK--Digitek ADT1100 | Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise. | 2026-02-05 | not yet calculated | CVE-2026-1523 | https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen |
| Drupal--Drupal Canvas | Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing. This issue affects Drupal Canvas: from 0.0.0 before 1.0.4. | 2026-02-04 | not yet calculated | CVE-2026-1553 | https://www.drupal.org/sa-contrib-2026-006 |
| Drupal--Central Authentication System (CAS) Server | XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation. This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2. | 2026-02-04 | not yet calculated | CVE-2026-1554 | https://www.drupal.org/sa-contrib-2026-007 |
| neo4j--Enterprise Edition | Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j. | 2026-02-04 | not yet calculated | CVE-2026-1622 | https://neo4j.com/security/CVE-2026-1622 |
| N/A--N/A | Summary An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces . Root cause The `createHeaderBasedEmailResolver()` function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing. Impact Insecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID. Mitigation: * PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries. * Agents-sdk users should upgrade to agents@0.3.7 | 2026-02-03 | not yet calculated | CVE-2026-1664 | https://github.com/cloudflare/agents |
| Python Packaging Authority--pip | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. | 2026-02-02 | not yet calculated | CVE-2026-1703 | https://github.com/pypa/pip/pull/13777 https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/ |
| Google Cloud--Gemini Enterprise (formerly Agentspace) | The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL. This predictability allowed an attacker to engage in "bucket squatting" by establishing these buckets before a victim's initial use. All versions after December 12th, 2025 have been updated to protect from this vulnerability. No user action is required for this. | 2026-02-06 | not yet calculated | CVE-2026-1727 | https://docs.cloud.google.com/gemini/enterprise/docs/release-notes#February_06_2026 |
| BeyondTrust--Remote Support(RS) & Privileged Remote Access(PRA) | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | 2026-02-06 | not yet calculated | CVE-2026-1731 | https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 |
| CrafterCMS--CrafterCMS | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution). | 2026-02-02 | not yet calculated | CVE-2026-1770 | https://docs.craftercms.org/current/security/advisory.html#cv-2026020201 |
| Xquic Project--Xquic Server | : Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation. This issue affects Xquic Server: through 1.8.3. | 2026-02-03 | not yet calculated | CVE-2026-1788 | https://github.com/alibaba/xquic |
| Rapid7--InsightVM/Nexpose | A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress. | 2026-02-03 | not yet calculated | CVE-2026-1814 | https://www.atredis.com/disclosure |
| Google--Chrome | Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-02-03 | not yet calculated | CVE-2026-1861 | https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/478942410 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-02-03 | not yet calculated | CVE-2026-1862 | https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/479726070 |
| Nukegraphic CMS--Nukegraphic CMS | Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through the profile edit request, which are then executed site-wide whenever the affected user's name is displayed. This allows the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. | 2026-02-05 | not yet calculated | CVE-2026-1953 | https://github.com/carlosbudiman/CVE-2026-1953-Disclosure |
| YugabyteDB Inc--YugabyteDB Anywhere | YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services. | 2026-02-05 | not yet calculated | CVE-2026-1966 | https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/ |
| MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933. | 2026-02-02 | not yet calculated | CVE-2026-20401 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00693083; Issue ID: MSV-5928. | 2026-02-02 | not yet calculated | CVE-2026-20402 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689254 (Note: For N15 and NR16) / MOLY01689259 (Note: For NR17 and NR17R); Issue ID: MSV-4843. | 2026-02-02 | not yet calculated | CVE-2026-20403 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689248; Issue ID: MSV-4837. | 2026-02-02 | not yet calculated | CVE-2026-20404 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01688495; Issue ID: MSV-4818. | 2026-02-02 | not yet calculated | CVE-2026-20405 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01726634; Issue ID: MSV-5728. | 2026-02-02 | not yet calculated | CVE-2026-20406 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT7902, MT7920, MT7921, MT7922, MT7925, MT7927 | In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00464377; Issue ID: MSV-4905. | 2026-02-02 | not yet calculated | CVE-2026-20407 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6890, MT7615, MT7915, MT7916, MT7981, MT7986 | In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758. | 2026-02-02 | not yet calculated | CVE-2026-20408 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363246; Issue ID: MSV-5779. | 2026-02-02 | not yet calculated | CVE-2026-20409 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989, MT8370, MT8390, MT8395 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362552; Issue ID: MSV-5760. | 2026-02-02 | not yet calculated | CVE-2026-20410 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8370, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8793 | In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737. | 2026-02-02 | not yet calculated | CVE-2026-20411 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8696, MT8793 | In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5733. | 2026-02-02 | not yet calculated | CVE-2026-20412 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8678, MT8793 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694. | 2026-02-02 | not yet calculated | CVE-2026-20413 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989, MT8196, MT8678, MT8766, MT8768, MT8786, MT8796 | In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625. | 2026-02-02 | not yet calculated | CVE-2026-20414 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6897, MT6989 | In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617. | 2026-02-02 | not yet calculated | CVE-2026-20415 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6991, MT6993, MT8678 | In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10314946 / ALPS10340155; Issue ID: MSV-5154. | 2026-02-02 | not yet calculated | CVE-2026-20417 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT7931, MT7933 | In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927. | 2026-02-02 | not yet calculated | CVE-2026-20418 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT6890, MT6989TB, MT7902, MT7915, MT7916, MT7920, MT7921, MT7922, MT7925, MT7927, MT7981, MT7986, MT8196, MT8668, MT8676, MT8678, MT8775, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893, MT8910 | In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852. | 2026-02-02 | not yet calculated | CVE-2026-20419 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8676, MT8791 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738313; Issue ID: MSV-5935. | 2026-02-02 | not yet calculated | CVE-2026-20420 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8791 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738293; Issue ID: MSV-5922. | 2026-02-02 | not yet calculated | CVE-2026-20421 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8775, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00827332; Issue ID: MSV-5919. | 2026-02-02 | not yet calculated | CVE-2026-20422 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| ELECOM CO.,LTD.--WRC-X1500GS-B | Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. | 2026-02-03 | not yet calculated | CVE-2026-20704 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| Cybozu, Inc.--Cybozu Garoon | Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users' passwords. | 2026-02-02 | not yet calculated | CVE-2026-20711 | https://kb.cybozu.support/article/39081/ https://jvn.jp/en/jp/JVN35265756/ |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in Emergency Sharing prior to SMR Feb-2026 Release 1 allows local attackers to interrupt its functioning. | 2026-02-04 | not yet calculated | CVE-2026-20977 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper authorization in KnoxGuardManager prior to SMR Feb-2026 Release 1 allows local attackers to bypass the persistence configuration of the application. | 2026-02-04 | not yet calculated | CVE-2026-20978 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege. | 2026-02-04 | not yet calculated | CVE-2026-20979 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in PACM prior to SMR Feb-2026 Release 1 allows physical attacker to execute arbitrary commands. | 2026-02-04 | not yet calculated | CVE-2026-20980 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege. | 2026-02-04 | not yet calculated | CVE-2026-20981 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege. | 2026-02-04 | not yet calculated | CVE-2026-20982 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege. | 2026-02-04 | not yet calculated | CVE-2026-20983 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile--Galaxy Wearable | Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information. | 2026-02-04 | not yet calculated | CVE-2026-20984 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile--Samsung Members | Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. | 2026-02-04 | not yet calculated | CVE-2026-20985 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile--Chinese Samsung Members | Path traversal in Samsung Members prior to Chinese version 15.5.05.4 allows local attackers to overwrite data within Samsung Members. | 2026-02-04 | not yet calculated | CVE-2026-20986 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile--GalaxyDiagnostics | Improper input validation in GalaxyDiagnostics prior to version 3.5.050 allows local privileged attackers to execute privileged commands. | 2026-02-04 | not yet calculated | CVE-2026-20987 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Six Apart Ltd.--Movable Type (Software Edition) | Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-21393 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Stackideas.com--EasyDiscuss extension for Joomla | Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure | 2026-02-06 | not yet calculated | CVE-2026-21626 | https://stackideas.com/easydiscuss |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78. | 2026-02-03 | not yet calculated | CVE-2026-21862 | https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq |
| n8n-io--n8n | n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n's community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3. | 2026-02-04 | not yet calculated | CVE-2026-21893 | https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838 |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device's web service to become unresponsive, resulting in a denial of service condition. A network adjacent attacker with high privileges could cause the device's web interface to temporarily stop responding until it recovers or is rebooted. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-03 | not yet calculated | CVE-2026-22220 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4941/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22221 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22222 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link System Inc.--Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22223 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22224 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22225 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication in the VPN server configuration module on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22226 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication via the configuration backup restoration function of the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22227 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-03 | not yet calculated | CVE-2026-22228 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4941/ |
| TP-Link Systems Inc.--Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22229 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| ELECOM CO.,LTD.--WRC-X1500GS-B | OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution. | 2026-02-03 | not yet calculated | CVE-2026-22550 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| Six Apart Ltd.--Movable Type (Software Edition) | Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-22875 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Cybozu, Inc.--Cybozu Garoon | Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users' passwords. | 2026-02-02 | not yet calculated | CVE-2026-22881 | https://kb.cybozu.support/article/39084/ https://jvn.jp/en/jp/JVN35265756/ |
| Cybozu, Inc.--Cybozu Garoon | Improper input verification issue exists in Cybozu Garoon 5.0.0 to 6.0.3, which may lead to unauthorized alteration of portal settings, potentially blocking access to the product. | 2026-02-02 | not yet calculated | CVE-2026-22888 | https://kb.cybozu.support/article/39083/ https://jvn.jp/en/jp/JVN35265756/ |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel. This could result in a NULL pointer dereference in cfg80211_next_nan_dw_notif. | 2026-02-04 | not yet calculated | CVE-2026-23040 | https://git.kernel.org/stable/c/1251bbdb8f5b2ea86ca9b4268a2e6aa34372ab33 https://git.kernel.org/stable/c/333418872bfecf4843f1ded7a4151685dfcf07d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources. | 2026-02-04 | not yet calculated | CVE-2026-23041 | https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627 https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport. This leads to kernel NULL pointer dereference in idpf_idc_vport_dev_down(), which references vdev_info for every vport regardless. Check, if vdev_info was ever allocated before unplugging aux device. | 2026-02-04 | not yet calculated | CVE-2026-23042 | https://git.kernel.org/stable/c/0ad6d6e50e9d8bf596cfe77a882ddc20b29f525a https://git.kernel.org/stable/c/4648fb2f2e7210c53b85220ee07d42d1e4bae3f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay(). When btrfs_alloc_path() fails in replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay() calls do_abort_log_replay() which unconditionally dereferences wc->subvol_path when attempting to print debug information. Fix this by adding a NULL check before dereferencing wc->subvol_path in do_abort_log_replay(). | 2026-02-04 | not yet calculated | CVE-2026-23043 | https://git.kernel.org/stable/c/6d1b61b8e1e44888c643d89225ab819b10649b2e https://git.kernel.org/stable/c/530e3d4af566ca44807d79359b90794dea24c4f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Fix crash when freeing invalid crypto compressor When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL. The cleanup code in save_compressed_image() and load_compressed_image() unconditionally calls crypto_free_acomp() without checking for ERR_PTR, which causes crypto_acomp_tfm() to dereference an invalid pointer and crash the kernel. This can be triggered when the compression algorithm is unavailable (e.g., CONFIG_CRYPTO_LZO not enabled). Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp() and acomp_request_free(), similar to the existing kthread_stop() check. [ rjw: Added 2 empty code lines ] | 2026-02-04 | not yet calculated | CVE-2026-23044 | https://git.kernel.org/stable/c/b7a883b0135dbc6817e90a829421c9fc8cd94bad https://git.kernel.org/stable/c/7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/ena: fix missing lock when update devlink params Fix assert lock warning while calling devl_param_driverinit_value_set() in ena. WARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy) Hardware name: Amazon EC2 m8i-flex.4xlarge/, BIOS 1.0 10/16/2017 Workqueue: events work_for_cpu_fn RIP: 0010:devl_assert_locked+0x62/0x90 Call Trace: <TASK> devl_param_driverinit_value_set+0x15/0x1c0 ena_devlink_alloc+0x18c/0x220 [ena] ? __pfx_ena_devlink_alloc+0x10/0x10 [ena] ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? devm_ioremap_wc+0x9a/0xd0 ena_probe+0x4d2/0x1b20 [ena] ? __lock_acquire+0x56a/0xbd0 ? __pfx_ena_probe+0x10/0x10 [ena] ? local_clock+0x15/0x30 ? __lock_release.isra.0+0x1c9/0x340 ? mark_held_locks+0x40/0x70 ? lockdep_hardirqs_on_prepare.part.0+0x92/0x170 ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? __pfx_ena_probe+0x10/0x10 [ena] ...... </TASK> | 2026-02-04 | not yet calculated | CVE-2026-23045 | https://git.kernel.org/stable/c/f2c4bcfa193eef1b7457a56be9c47a8de015f225 https://git.kernel.org/stable/c/8da901ffe497a53fa4ecc3ceed0e6d771586f88e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_queues() frees using net_device->device. This device mismatch causing below devres warning [ 3788.514041] ------------[ cut here ]------------ [ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463 [ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa] [ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT [ 3788.514067] Tainted: [W]=WARN [ 3788.514069] Hardware name: Marvell CN106XX board (DT) [ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 3788.514074] pc : devm_kfree+0x84/0x98 [ 3788.514076] lr : devm_kfree+0x54/0x98 [ 3788.514079] sp : ffff800084e2f220 [ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f [ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 [ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 [ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 [ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff [ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff [ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c [ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f [ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 [ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 [ 3788.514123] Call trace: [ 3788.514125] devm_kfree+0x84/0x98 (P) [ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net] [ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net] [ 3788.514139] virtio_dev_probe+0x1e0/0x338 [ 3788.514144] really_probe+0xc8/0x3a0 [ 3788.514149] __driver_probe_device+0x84/0x170 [ 3788.514152] driver_probe_device+0x44/0x120 [ 3788.514155] __device_attach_driver+0xc4/0x168 [ 3788.514158] bus_for_each_drv+0x8c/0xf0 [ 3788.514161] __device_attach+0xa4/0x1c0 [ 3788.514164] device_initial_probe+0x1c/0x30 [ 3788.514168] bus_probe_device+0xb4/0xc0 [ 3788.514170] device_add+0x614/0x828 [ 3788.514173] register_virtio_device+0x214/0x258 [ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa] [ 3788.514179] vdpa_dev_probe+0xa8/0xd8 [ 3788.514183] really_probe+0xc8/0x3a0 [ 3788.514186] __driver_probe_device+0x84/0x170 [ 3788.514189] driver_probe_device+0x44/0x120 [ 3788.514192] __device_attach_driver+0xc4/0x168 [ 3788.514195] bus_for_each_drv+0x8c/0xf0 [ 3788.514197] __device_attach+0xa4/0x1c0 [ 3788.514200] device_initial_probe+0x1c/0x30 [ 3788.514203] bus_probe_device+0xb4/0xc0 [ 3788.514206] device_add+0x614/0x828 [ 3788.514209] _vdpa_register_device+0x58/0x88 [ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa] [ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0 [ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158 [ 3788.514222] genl_rcv_msg+0x218/0x298 [ 3788.514225] netlink_rcv_skb+0x64/0x138 [ 3788.514229] genl_rcv+0x40/0x60 [ 3788.514233] netlink_unicast+0x32c/0x3b0 [ 3788.514237] netlink_sendmsg+0x170/0x3b8 [ 3788.514241] __sys_sendto+0x12c/0x1c0 [ 3788.514246] __arm64_sys_sendto+0x30/0x48 [ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8 [ 3788.514255] do_el0_svc+0x48/0xd0 [ 3788.514259] el0_svc+0x48/0x210 [ 3788.514264] el0t_64_sync_handler+0xa0/0xe8 [ 3788.514268] el0t_64_sync+0x198/0x1a0 [ 3788.514271] ---[ end trace 0000000000000000 ]--- Fix by using virtio_device->device consistently for allocation and deallocation | 2026-02-04 | not yet calculated | CVE-2026-23046 | https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3 https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex. | 2026-02-04 | not yet calculated | CVE-2026-23047 | https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940 https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021 https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24 https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342 https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5 https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udp: call skb_orphan() before skb_attempt_defer_free() Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); We must call skb_orphan() to fix this issue. | 2026-02-04 | not yet calculated | CVE-2026-23048 | https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel The connector type for the DataImage SCF0700C48GGU18 panel is missing and devm_drm_panel_bridge_add() requires connector type to be set. This leads to a warning and a backtrace in the kernel log and panel does not work: " WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8 " The warning is triggered by a check for valid connector type in devm_drm_panel_bridge_add(). If there is no valid connector type set for a panel, the warning is printed and panel is not added. Fill in the missing connector type to fix the warning and make the panel operational once again. | 2026-02-04 | not yet calculated | CVE-2026-23049 | https://git.kernel.org/stable/c/f4c330b4499e7334ec6fce535574e09d55843d71 https://git.kernel.org/stable/c/bb309377eece5317207d71fd833f99cca4727fbd https://git.kernel.org/stable/c/83e0d8d22e7ee3151af1951595104887eebed6ab https://git.kernel.org/stable/c/bc0b17bdba3838e9e17e7e9adc968384ac99938b https://git.kernel.org/stable/c/04218cd68d1502000823c8288f37b4f171dcdcae https://git.kernel.org/stable/c/f7940d3ec1dc6bf719eddc69d4b8e52cc2201896 https://git.kernel.org/stable/c/6ab3d4353bf75005eaa375677c9fed31148154d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix a deadlock when returning a delegation during open() Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935 The issue is that the delegreturn is being asked to wait for a layout return that cannot complete because a state recovery was initiated. The state recovery cannot complete until the open() finishes processing the delegations it was given. The solution is to propagate the existing flags that indicate a non-blocking call to the function pnfs_roc(), so that it knows not to wait in this situation. | 2026-02-04 | not yet calculated | CVE-2026-23050 | https://git.kernel.org/stable/c/a316fd9d3065b753b03d802530004aea481512cc https://git.kernel.org/stable/c/d6c75aa9d607044d1e5c8498eff0259eed356c32 https://git.kernel.org/stable/c/857bf9056291a16785ae3be1d291026b2437fc48 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef) | 2026-02-04 | not yet calculated | CVE-2026-23051 | https://git.kernel.org/stable/c/a1aedf4053af7dad3772b94b057a7d1f5473055f https://git.kernel.org/stable/c/9cb6278b44c38899961b36d303d7b18b38be2a6e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not over-allocate ftrace memory The pg_remaining calculation in ftrace_process_locs() assumes that ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE (integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g. 4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages) have significantly more capacity than 256 * 170. This leads to pg_remaining being underestimated, which in turn makes skip (derived from skipped - pg_remaining) larger than expected, causing the WARN(skip != remaining) to trigger. Extra allocated pages for ftrace: 2 with 654 skipped WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0 A similar problem in ftrace_allocate_records() can result in allocating too many pages. This can trigger the second warning in ftrace_process_locs(). Extra allocated pages for ftrace WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580 Use the actual capacity of a page group to determine the number of pages to allocate. Have ftrace_allocate_pages() return the number of allocated pages to avoid having to calculate it. Use the actual page group capacity when validating the number of unused pages due to skipped entries. Drop the definition of ENTRIES_PER_PAGE since it is no longer used. | 2026-02-04 | not yet calculated | CVE-2026-23052 | https://git.kernel.org/stable/c/9aef476717994e96dadfb359641c4b82b521aa36 https://git.kernel.org/stable/c/be55257fab181b93af38f8c4b1b3cb453a78d742 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a deadlock involving nfs_release_folio() Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. | 2026-02-04 | not yet calculated | CVE-2026-23053 | https://git.kernel.org/stable/c/49d352bc263fe4a834233338bfaad31b3109addf https://git.kernel.org/stable/c/19b4d9ab5e77843eac0429c019470c02f8710b55 https://git.kernel.org/stable/c/cce0be6eb4971456b703aaeafd571650d314bcca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hv_netvsc: reject RSS hash key programming without RX indirection table RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang. Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device capabilities and prevents incorrect behavior. | 2026-02-04 | not yet calculated | CVE-2026-23054 | https://git.kernel.org/stable/c/8288136f508e78eb3563e7073975999cf225a2f9 https://git.kernel.org/stable/c/82c9039c8ebb715753a40434df714f865a3aec9c https://git.kernel.org/stable/c/4cd55c609e85ae2313248ef1a33619a3eef44a16 https://git.kernel.org/stable/c/11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3 https://git.kernel.org/stable/c/d23564955811da493f34412d7de60fa268c8cb50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: riic: Move suspend handling to NOIRQ phase Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added suspend support for the Renesas I2C driver and following this change on RZ/G3E the following WARNING is seen on entering suspend ... [ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 134.285536] ------------[ cut here ]------------ [ 134.290298] i2c i2c-2: Transfer while suspended [ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388 [ 134.365507] Tainted: [W]=WARN [ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT) [ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214 [ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214 [ 134.391717] sp : ffff800083f23860 [ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60 [ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001 [ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936 [ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006 [ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280 [ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09 [ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8 [ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000 [ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000 [ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80 [ 134.466851] Call trace: [ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P) [ 134.473715] i2c_smbus_xfer+0xbc/0x120 [ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84 [ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208] [ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208] [ 134.493226] __rtc_read_time+0x44/0x88 [ 134.497012] rtc_read_time+0x3c/0x68 [ 134.500622] rtc_suspend+0x9c/0x170 The warning is triggered because I2C transfers can still be attempted while the controller is already suspended, due to inappropriate ordering of the system sleep callbacks. If the controller is autosuspended, there is no way to wake it up once runtime PM disabled (in suspend_late()). During system resume, the I2C controller will be available only after runtime PM is re-enabled (in resume_early()). However, this may be too late for some devices. Wake up the controller in the suspend() callback while runtime PM is still enabled. The I2C controller will remain available until the suspend_noirq() callback (pm_runtime_force_suspend()) is called. During resume, the I2C controller can be restored by the resume_noirq() callback (pm_runtime_force_resume()). Finally, the resume() callback re-enables autosuspend. As a result, the I2C controller can remain available until the system enters suspend_noirq() and from resume_noirq(). | 2026-02-04 | not yet calculated | CVE-2026-23055 | https://git.kernel.org/stable/c/469f8fe4c87e43520f279e45b927c35d6fe99194 https://git.kernel.org/stable/c/0b4c0fbbe00b7de76bdaea7fa771017d7a979b0d https://git.kernel.org/stable/c/e383f0961422f983451ac4dd6aed1a3d3311f2be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma's vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok). | 2026-02-04 | not yet calculated | CVE-2026-23056 | https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3 https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6 https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07 https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1 https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear. | 2026-02-04 | not yet calculated | CVE-2026-23057 | https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72 https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23058 | https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0 https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8 https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87 https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Sanitize payload size to prevent member overflow In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size reported by firmware is used to calculate the copy length into item->iocb. However, the iocb member is defined as a fixed-size 64-byte array within struct purex_item. If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will overflow the iocb member boundary. While extra memory might be allocated, this cross-member write is unsafe and triggers warnings under CONFIG_FORTIFY_SOURCE. Fix this by capping total_bytes to the size of the iocb member (64 bytes) before allocation and copying. This ensures all copies remain within the bounds of the destination structure member. | 2026-02-04 | not yet calculated | CVE-2026-23059 | https://git.kernel.org/stable/c/408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0 https://git.kernel.org/stable/c/1922468a4a80424e5a69f7ba50adcee37f4722e9 https://git.kernel.org/stable/c/aa14451fa5d5f2de919384c637e2a8c604e1a1fe https://git.kernel.org/stable/c/19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. | 2026-02-04 | not yet calculated | CVE-2026-23060 | https://git.kernel.org/stable/c/df22c9a65e9a9daa368a72fed596af9d7d5876bb https://git.kernel.org/stable/c/fee86edf5803f1d1f19e3b4f2dacac241bddfa48 https://git.kernel.org/stable/c/767e8349f7e929b7dd95c08f0b4cb353459b365e https://git.kernel.org/stable/c/b0a9609283a5c852addb513dafa655c61eebc1ef https://git.kernel.org/stable/c/161bdc90fce25bd9890adc67fa1c8563a7acbf40 https://git.kernel.org/stable/c/9532ff0d0e90ff78a214299f594ab9bac81defe4 https://git.kernel.org/stable/c/2397e9264676be7794f8f7f1e9763d90bd3c7335 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23061 | https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7 https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132 https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4 https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01 https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482 https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs attributes: 1. Off-by-one error: The loop condition used '<=' instead of '<', causing access beyond array bounds. Since array indices are 0-based and go from 0 to instances_count-1, the loop should use '<'. 2. Missing NULL check: The code dereferenced attr_name_kobj->name without checking if attr_name_kobj was NULL, causing a null pointer dereference in min_length_show() and other attribute show functions. The panic occurred when fwupd tried to read BIOS configuration attributes: Oops: general protection fault [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg] Add a NULL check for attr_name_kobj before dereferencing and corrects the loop boundary to match the pattern used elsewhere in the driver. | 2026-02-04 | not yet calculated | CVE-2026-23062 | https://git.kernel.org/stable/c/eb5ff1025c92117d5d1cc728bcfa294abe484da1 https://git.kernel.org/stable/c/eba49c1dee9c5e514ca18e52c545bba524e8a045 https://git.kernel.org/stable/c/193922a23d7294085a47d7719fdb7d66ad0a236f https://git.kernel.org/stable/c/25150715e0b049b99df664daf05dab12f41c3e13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. | 2026-02-04 | not yet calculated | CVE-2026-23063 | https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016 https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483 https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) Call Trace: <TASK> ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 tcf_ife_encode net/sched/act_ife.c:841 [inline] tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 tc_act include/net/tc_wrapper.h:130 [inline] tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 tcf_exts_exec include/net/pkt_cls.h:349 [inline] mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 __dev_xmit_skb net/core/dev.c:4262 [inline] __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 | 2026-02-04 | not yet calculated | CVE-2026-23064 | https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40 https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0 https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278 https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20 https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: Fix memory leak in wbrf_record() The tmp buffer is allocated using kcalloc() but is not freed if acpi_evaluate_dsm() fails. This causes a memory leak in the error path. Fix this by explicitly freeing the tmp buffer in the error handling path of acpi_evaluate_dsm(). | 2026-02-04 | not yet calculated | CVE-2026-23065 | https://git.kernel.org/stable/c/1152dffe01af86e42ce2b208b92ef7f8c275d130 https://git.kernel.org/stable/c/1a0072bd1f1e559eda3e91a24dbc51c9eb025c54 https://git.kernel.org/stable/c/2bf1877b7094c684e1d652cac6912cfbc507ad3e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also. | 2026-02-04 | not yet calculated | CVE-2026-23066 | https://git.kernel.org/stable/c/930114425065f7ace6e0c0630fab4af75e059ea8 https://git.kernel.org/stable/c/2c28769a51deb6022d7fbd499987e237a01dd63a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions. | 2026-02-04 | not yet calculated | CVE-2026-23067 | https://git.kernel.org/stable/c/41ec6988547819756fb65e94fc24f3e0dddf84ac https://git.kernel.org/stable/c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call. | 2026-02-04 | not yet calculated | CVE-2026-23068 | https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0 https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that. [Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message] | 2026-02-04 | not yet calculated | CVE-2026-23069 | https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551 https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899 https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542 https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3 https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks for fwdata firmware populates MAC address, link modes (supported, advertised) and EEPROM data in shared firmware structure which kernel access via MAC block(CGX/RPM). Accessing fwdata, on boards booted with out MAC block leading to kernel panics. Internal error: Oops: 0000000096000005 [#1] SMP [ 10.460721] Modules linked in: [ 10.463779] CPU: 0 UID: 0 PID: 174 Comm: kworker/0:3 Not tainted 6.19.0-rc5-00154-g76ec646abdf7-dirty #3 PREEMPT [ 10.474045] Hardware name: Marvell OcteonTX CN98XX board (DT) [ 10.479793] Workqueue: events work_for_cpu_fn [ 10.484159] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 10.491124] pc : rvu_sdp_init+0x18/0x114 [ 10.495051] lr : rvu_probe+0xe58/0x1d18 | 2026-02-04 | not yet calculated | CVE-2026-23070 | https://git.kernel.org/stable/c/e343973fab43c266a40e4e0dabdc4216db6d5eff https://git.kernel.org/stable/c/4a3dba48188208e4f66822800e042686784d29d1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regmap: Fix race condition in hwspinlock irqsave routine Previously, the address of the shared member '&map->spinlock_flags' was passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race condition where multiple contexts contending for the lock could overwrite the shared flags variable, potentially corrupting the state for the current lock owner. Fix this by using a local stack variable 'flags' to store the IRQ state temporarily. | 2026-02-04 | not yet calculated | CVE-2026-23071 | https://git.kernel.org/stable/c/e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5 https://git.kernel.org/stable/c/766e243ae8c8b27087a4cc605752c0d5ee2daeab https://git.kernel.org/stable/c/f1e2fe26a51eca95b41420af76d22c2e613efd5e https://git.kernel.org/stable/c/24f31be6ad70537fd7706269d99c92cade465a09 https://git.kernel.org/stable/c/4aab0ca0a0f7760e33edcb4e47576064d05128f5 https://git.kernel.org/stable/c/c2d2cf710dc3ee1a69e00b4ed8de607a92a07889 https://git.kernel.org/stable/c/4b58aac989c1e3fafb1c68a733811859df388250 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Fix memleak in l2tp_udp_encap_recv(). syzbot reported memleak of struct l2tp_session, l2tp_tunnel, sock, etc. [0] The cited commit moved down the validation of the protocol version in l2tp_udp_encap_recv(). The new place requires an extra error handling to avoid the memleak. Let's call l2tp_session_put() there. [0]: BUG: memory leak unreferenced object 0xffff88810a290200 (size 512): comm "syz.0.17", pid 6086, jiffies 4294944299 hex dump (first 32 bytes): 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc babb6a4f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] __do_kmalloc_node mm/slub.c:5656 [inline] __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778 pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755 __sys_connect_file+0x7a/0xb0 net/socket.c:2089 __sys_connect+0xde/0x110 net/socket.c:2108 __do_sys_connect net/socket.c:2114 [inline] __se_sys_connect net/socket.c:2111 [inline] __x64_sys_connect+0x1c/0x30 net/socket.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-02-04 | not yet calculated | CVE-2026-23072 | https://git.kernel.org/stable/c/5cd158a88eef34e7b100cd9b963873d3b4e41b35 https://git.kernel.org/stable/c/d4ce79e6dce2a4a49eebceea7b4caf5dc0f0ef3d https://git.kernel.org/stable/c/4d10edfd1475b69dbd4c47f34b61a3772ece83ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it. | 2026-02-04 | not yet calculated | CVE-2026-23073 | https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0 https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4 https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1 https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF. | 2026-02-04 | not yet calculated | CVE-2026-23074 | https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6 https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380 https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841 https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in esd_usb_close(). Fix the memory leak by anchoring the URB in the esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23075 | https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9 https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33 https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3 https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is out of range for type 'unsigned char [8]' After the analysis, the cause was found to be the lack of the proper (re-)initialization of conj field. This patch addresses those OOB accesses by adding the proper initializations of the loop indices. | 2026-02-04 | not yet calculated | CVE-2026-23076 | https://git.kernel.org/stable/c/6524205326e0c1a21263b5c14e48e14ef7e449ae https://git.kernel.org/stable/c/afca7ff5d5d4d63a1acb95461f55ca9a729feedf https://git.kernel.org/stable/c/8c1d09806e1441bc6a54b9a4f2818918046d5174 https://git.kernel.org/stable/c/a8c42d11b0526a89192bd2f79facb4c60c8a1f38 https://git.kernel.org/stable/c/d77ba72558cd66704f0fb7e0969f697e87c0f71c https://git.kernel.org/stable/c/873e2360d247eeee642878fcc3398babff7e387c https://git.kernel.org/stable/c/61006c540cbdedea83b05577dc7fb7fa18fe1276 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Patch series "mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge", v2. Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. However, it is handling merges incorrectly when it comes to mremap() of a faulted VMA adjacent to an unfaulted VMA. The issues arise in three cases: 1. Previous VMA unfaulted: copied -----| v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............| prev 2. Next VMA unfaulted: copied -----| v |.............|-----------| |(faulted VMA)| unfaulted | |.............|-----------| next 3. Both adjacent VMAs unfaulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------| prev next This series fixes each of these cases, and introduces self tests to assert that the issues are corrected. I also test a further case which was already handled, to assert that my changes continues to correctly handle it: 4. prev unfaulted, next faulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| faulted | |-----------|.............|-----------| prev next This bug was discovered via a syzbot report, linked to in the first patch in the series, I confirmed that this series fixes the bug. I also discovered that we are failing to check that the faulted VMA was not forked when merging a copied VMA in cases 1-3 above, an issue this series also addresses. I also added self tests to assert that this is resolved (and confirmed that the tests failed prior to this). I also cleaned up vma_expand() as part of this work, renamed vma_had_uncowed_parents() to vma_is_fork_child() as the previous name was unduly confusing, and simplified the comments around this function. This patch (of 4): Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. The key piece of logic introduced was the ability to merge a faulted VMA immediately next to an unfaulted VMA, which relies upon dup_anon_vma() to correctly handle anon_vma state. In the case of the merge of an existing VMA (that is changing properties of a VMA and then merging if those properties are shared by adjacent VMAs), dup_anon_vma() is invoked correctly. However in the case of the merge of a new VMA, a corner case peculiar to mremap() was missed. The issue is that vma_expand() only performs dup_anon_vma() if the target (the VMA that will ultimately become the merged VMA): is not the next VMA, i.e. the one that appears after the range in which the new VMA is to be established. A key insight here is that in all other cases other than mremap(), a new VMA merge either expands an existing VMA, meaning that the target VMA will be that VMA, or would have anon_vma be NULL. Specifically: * __mmap_region() - no anon_vma in place, initial mapping. * do_brk_flags() - expanding an existing VMA. * vma_merge_extend() - expanding an existing VMA. * relocate_vma_down() - no anon_vma in place, initial mapping. In addition, we are in the unique situation of needing to duplicate anon_vma state from a VMA that is neither the previous or next VMA being merged with. dup_anon_vma() deals exclusively with the target=unfaulted, src=faulted case. This leaves four possibilities, in each case where the copied VMA is faulted: 1. Previous VMA unfaulted: copied -----| ---truncated--- | 2026-02-04 | not yet calculated | CVE-2026-23077 | https://git.kernel.org/stable/c/a4d9dbfc1bab16e25fefd34b5e537a46bed8fc96 https://git.kernel.org/stable/c/61f67c230a5e7c741c352349ea80147fbe65bfae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type. | 2026-02-04 | not yet calculated | CVE-2026-23078 | https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751 https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449 https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24 https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() On error handling paths, lineinfo_changed_notify() doesn't free the allocated resources which results leaks. Fix it. | 2026-02-04 | not yet calculated | CVE-2026-23079 | https://git.kernel.org/stable/c/16414341b0dd58b650b5df45c79115bc5977bb76 https://git.kernel.org/stable/c/70b3c280533167749a8f740acaa8ef720f78f984 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23080 | https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0 https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60 https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983 https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9 https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264 https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: intel-xway: fix OF node refcount leakage Automated review spotted am OF node reference count leakage when checking if the 'leds' child node exists. Call of_put_node() to correctly maintain the refcount. | 2026-02-04 | not yet calculated | CVE-2026-23081 | https://git.kernel.org/stable/c/1f24dfd556401b75f78e8d9cbd94dd9f31411c3a https://git.kernel.org/stable/c/79912b256e14054e6ba177d7e7e631485ce23dbe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"), the URB was re-anchored before usb_submit_urb() in gs_usb_receive_bulk_callback() to prevent a leak of this URB during cleanup. However, this patch did not take into account that usb_submit_urb() could fail. The URB remains anchored and usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops infinitely since the anchor list never becomes empty. To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, also print an info message. | 2026-02-04 | not yet calculated | CVE-2026-23082 | https://git.kernel.org/stable/c/aa8a8866c533a150be4763bcb27993603bd5426c https://git.kernel.org/stable/c/ce4352057fc5a986c76ece90801b9755e7c6e56c https://git.kernel.org/stable/c/c610b550ccc0438d456dfe1df9f4f36254ccaae3 https://git.kernel.org/stable/c/c3edc14da81a8d8398682f6e4ab819f09f37c0b7 https://git.kernel.org/stable/c/79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO. | 2026-02-04 | not yet calculated | CVE-2026-23083 | https://git.kernel.org/stable/c/c7498f9bc390479ccfad7c7f2332237ff4945b03 https://git.kernel.org/stable/c/611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea https://git.kernel.org/stable/c/6e983789b7588ee59cbf303583546c043bad8e19 https://git.kernel.org/stable/c/1cc98b8887cabb1808d2f4a37cd10a7be7574771 https://git.kernel.org/stable/c/b7db31a52c3862a1a32202a273a4c32e7f5f4823 https://git.kernel.org/stable/c/9b75dff8446ec871030d8daf5a69e74f5fe8b956 https://git.kernel.org/stable/c/7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_id. This is the contract of this function. However, there is a location within the driver where both pmac_id_valid == false and pmac_id == NULL are being passed. This could result in dereferencing a NULL pointer. To resolve this issue, it is necessary to pass the address of a stub variable to the function. | 2026-02-04 | not yet calculated | CVE-2026-23084 | https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344 https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4 https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1 https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80 https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698 https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest. | 2026-02-04 | not yet calculated | CVE-2026-23085 | https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88 https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27 https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238 https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98 https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base. Introduce a small helper, virtio_transport_tx_buf_size(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc. This ensures the effective TX window is bounded by both the peer's advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited. With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Compatibility with non-virtio transports: - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. - The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport. This change is limited to virtio_transport_common.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the "remote window intersected with local policy" behaviour that VMCI and Hyper-V already effectively have. [Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message] | 2026-02-04 | not yet calculated | CVE-2026-23086 | https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676 https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711 https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove(). | 2026-02-04 | not yet calculated | CVE-2026-23087 | https://git.kernel.org/stable/c/a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9 https://git.kernel.org/stable/c/427b0fb30ddec3bad05dcd73b00718f98c7026d2 https://git.kernel.org/stable/c/4a975c72429b050c234405668b742cdecc11548e https://git.kernel.org/stable/c/f86264ec0e2b102fcd49bf3e4f32fee669d482fc https://git.kernel.org/stable/c/32e52b56056daf0f0881fd9254706acf25b4be97 https://git.kernel.org/stable/c/24c441f0e24da175d7912095663f526ac480dc4f https://git.kernel.org/stable/c/901a5f309daba412e2a30364d7ec1492fa11c32c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix crash on synthetic stacktrace field usage When creating a synthetic event based on an existing synthetic event that had a stacktrace field and the new synthetic event used that field a kernel crash occurred: ~# cd /sys/kernel/tracing ~# echo 's:stack unsigned long stack[];' > dynamic_events ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger The above creates a synthetic event that takes a stacktrace when a task schedules out in a non-running state and passes that stacktrace to the sched_switch event when that task schedules back in. It triggers the "stack" synthetic event that has a stacktrace as its field (called "stack"). ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger The above makes another synthetic event called "syscall_stack" that attaches the first synthetic event (stack) to the sys_exit trace event and records the stacktrace from the stack event with the id of the system call that is exiting. When enabling this event (or using it in a historgram): ~# echo 1 > events/synthetic/syscall_stack/enable Produces a kernel crash! BUG: unable to handle page fault for address: 0000000000400010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:trace_event_raw_event_synth+0x90/0x380 Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f RSP: 0018:ffffd2670388f958 EFLAGS: 00010202 RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0 RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50 R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010 R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90 FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0 Call Trace: <TASK> ? __tracing_map_insert+0x208/0x3a0 action_trace+0x67/0x70 event_hist_trigger+0x633/0x6d0 event_triggers_call+0x82/0x130 trace_event_buffer_commit+0x19d/0x250 trace_event_raw_event_sys_exit+0x62/0xb0 syscall_exit_work+0x9d/0x140 do_syscall_64+0x20a/0x2f0 ? trace_event_raw_event_sched_switch+0x12b/0x170 ? save_fpregs_to_fpstate+0x3e/0x90 ? _raw_spin_unlock+0xe/0x30 ? finish_task_switch.isra.0+0x97/0x2c0 ? __rseq_handle_notify_resume+0xad/0x4c0 ? __schedule+0x4b8/0xd00 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x1ef/0x2f0 ? do_fault+0x2e9/0x540 ? __handle_mm_fault+0x7d1/0xf70 ? count_memcg_events+0x167/0x1d0 ? handle_mm_fault+0x1d7/0x2e0 ? do_user_addr_fault+0x2c3/0x7f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reason is that the stacktrace field is not labeled as such, and is treated as a normal field and not as a dynamic event that it is. In trace_event_raw_event_synth() the event is field is still treated as a dynamic array, but the retrieval of the data is considered a normal field, and the reference is just the meta data: // Meta data is retrieved instead of a dynamic array ---truncated--- | 2026-02-04 | not yet calculated | CVE-2026-23088 | https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077 https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1 https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748 https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element. | 2026-02-04 | not yet calculated | CVE-2026-23089 | https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6 https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963 https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated. | 2026-02-04 | not yet calculated | CVE-2026-23090 | https://git.kernel.org/stable/c/b1217e40705b2f6d311c197b12866752656217ff https://git.kernel.org/stable/c/948615429c9f2ac9d25d4e1f1a4472926b217a9a https://git.kernel.org/stable/c/02b78bbfbafe49832e508079148cb87cdfa55825 https://git.kernel.org/stable/c/2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6 https://git.kernel.org/stable/c/54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9 https://git.kernel.org/stable/c/6602bb4d1338e92b5838e50322b87697bdbd2ee0 https://git.kernel.org/stable/c/9391380eb91ea5ac792aae9273535c8da5b9aa01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on successful open(). | 2026-02-04 | not yet calculated | CVE-2026-23091 | https://git.kernel.org/stable/c/af4b9467296b9a16ebc008147238070236982b6d https://git.kernel.org/stable/c/64015cbf06e8bb75b81ae95b997e847b55280f7f https://git.kernel.org/stable/c/b71e64ef7ff9443835d1333e3e80ab1e49e5209f https://git.kernel.org/stable/c/bf7785434b5d05d940d936b78925080950bd54dd https://git.kernel.org/stable/c/0fca16c5591534cc1fec8b6181277ee3a3d0f26c https://git.kernel.org/stable/c/f9b059bda4276f2bb72cb98ec7875a747f042ea2 https://git.kernel.org/stable/c/95fc36a234da24bbc5f476f8104a5a15f99ed3e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an - out-of-bounds write on the stack. Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write") | 2026-02-04 | not yet calculated | CVE-2026-23092 | https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. | 2026-02-04 | not yet calculated | CVE-2026-23093 | https://git.kernel.org/stable/c/f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec https://git.kernel.org/stable/c/6ececffd3e9fe93a87738625dc0671165d27bf96 https://git.kernel.org/stable/c/4d1e9a4a450aae47277763562122cc80ed703ab2 https://git.kernel.org/stable/c/70ba85e439221a5d6dda34a3004db6640f0525e6 https://git.kernel.org/stable/c/d1943bc9dc9508f5933788a76f8a35d10e43a646 https://git.kernel.org/stable/c/98e3e2b561bc88f4dd218d1c05890672874692f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Currently, sysfs files are created as long as either isolate_err_threshold_read or isolate_err_threshold_write callback functions are present. However, accessing a non-existent callback function may cause the system to crash. Therefore, intercept the creation of sysfs if neither read nor write exists; create sysfs if either is supported, but intercept unsupported operations at the call site. | 2026-02-04 | not yet calculated | CVE-2026-23094 | https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042 https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0 https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-02-04 | not yet calculated | CVE-2026-23095 | https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766 https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892 https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35 https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_device_del in the uacce_remove. | 2026-02-04 | not yet calculated | CVE-2026-23096 | https://git.kernel.org/stable/c/c94c7188d325bc5137d447d67a2f18f7d4f2f4a3 https://git.kernel.org/stable/c/1bc3e51367c420e6db31f41efa874c7a8e12194a https://git.kernel.org/stable/c/819d647406200d0e83e56fd2df8f451b11290559 https://git.kernel.org/stable/c/d9031575a2f8aabc53af3025dd79af313a2e046b https://git.kernel.org/stable/c/98d67a1bd6caddd0a8b8c82a0b925742cf500936 https://git.kernel.org/stable/c/bd2393ed7712513e7e2dbcb6e21464a67ff9e702 https://git.kernel.org/stable/c/a3bece3678f6c88db1f44c602b2a63e84b4040ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)! hugetlbfs_fallocate() -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! -> hugetlbfs_zero_partial_page() -> filemap_lock_hugetlb_folio() -> filemap_lock_folio() -> __filemap_get_folio <- Waits for folio_lock! The migration path is the one taking locks in the wrong order according to the documentation at the top of mm/rmap.c. So expand the scope of the existing i_mmap_lock to cover the calls to remove_migration_ptes() too. This is (mostly) how it used to be after commit c0d0381ade79. That was removed by 336bf30eb765 for both file & anon hugetlb pages when it should only have been removed for anon hugetlb pages. | 2026-02-04 | not yet calculated | CVE-2026-23097 | https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394 https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9 https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330 https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34 https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1 https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305 https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. | 2026-02-04 | not yet calculated | CVE-2026-23098 | https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8 https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708 https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016 https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67 https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hw_addr_create net/core/dev_addr_lists.c:63 [inline] __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:868 [inline] dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __sys_sendmsg+0x164/0x220 net/socket.c:2678 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e </TASK> The buggy address belongs to the variable: lacpdu_mcast_addr+0x0/0x40 | 2026-02-04 | not yet calculated | CVE-2026-23099 | https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4 https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared(). | 2026-02-04 | not yet calculated | CVE-2026-23100 | https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work. This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in: ------------[ cut here ]------------ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 ... Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998 Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call. | 2026-02-04 | not yet calculated | CVE-2026-23101 | https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77 https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386 https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3 https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234 https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few ways, including placing the task into an invalid state where the kernel may read from out-of-bounds memory (and may potentially take a fatal fault) and/or may kill the task with a SIGKILL. (1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into an invalid state where SVCR.SM is set (and sve_state is non-NULL) but TIF_SME is clear, consequently resuting in out-of-bounds memory reads and/or killing the task with SIGKILL. This can only occur in unusual (but legitimate) cases where the SVE signal context has either been modified by userspace or was saved in the context of another task (e.g. as with CRIU), as otherwise the presence of an SVE signal context with SVE_SIG_FLAG_SM implies that TIF_SME is already set. While in this state, task_fpsimd_load() will NOT configure SMCR_ELx (leaving some arbitrary value configured in hardware) before restoring SVCR and attempting to restore the streaming mode SVE registers from memory via sve_load_state(). As the value of SMCR_ELx.LEN may be larger than the task's streaming SVE vector length, this may read memory outside of the task's allocated sve_state, reading unrelated data and/or triggering a fault. While this can result in secrets being loaded into streaming SVE registers, these values are never exposed. As TIF_SME is clear, fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 accesses to streaming mode SVE registers, so these cannot be accessed directly at EL0. As fpsimd_save_user_state() verifies the live vector length before saving (S)SVE state to memory, no secret values can be saved back to memory (and hence cannot be observed via ptrace, signals, etc). When the live vector length doesn't match the expected vector length for the task, fpsimd_save_user_state() will send a fatal SIGKILL signal to the task. Hence the task may be killed after executing userspace for some period of time. (2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the task's SVCR.SM. If SVCR.SM was set prior to restoring the context, then the task will be left in streaming mode unexpectedly, and some register state will be combined inconsistently, though the task will be left in legitimate state from the kernel's PoV. This can only occur in unusual (but legitimate) cases where ptrace has been used to set SVCR.SM after entry to the sigreturn syscall, as syscall entry clears SVCR.SM. In these cases, the the provided SVE register data will be loaded into the task's sve_state using the non-streaming SVE vector length and the FPSIMD registers will be merged into this using the streaming SVE vector length. Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires ensuring that the task's sme_state has been allocated, but as this could contain live ZA state, it should not be zeroed. Fix (2) by clearing SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear. For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME, and fp_type earlier, immediately after the allocation of sve_state/sme_state, before the restore of the actual register state. This makes it easier to ensure that these are always modified consistently, even if a fault is taken while reading the register data from the signal context. I do not expect any software to depend on the exact state restored when a fault is taken while reading the context. | 2026-02-04 | not yet calculated | CVE-2026-23102 | https://git.kernel.org/stable/c/9bc3adba8c35119be80ab20217027720446742f2 https://git.kernel.org/stable/c/ce820dd4e6e2d711242dc4331713b9bb4fe06d09 https://git.kernel.org/stable/c/7b5a52cf252a0d2e89787b645290ad288878f332 https://git.kernel.org/stable/c/d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths. | 2026-02-04 | not yet calculated | CVE-2026-23103 | https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589 https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5 https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39 https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit the device and then the driver is removed, a call trace can occur. BUG: unable to handle page fault for address: ffffffffc0fd4b5d Call Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 The call trace repeats approximately every 10 minutes when system monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs attributes that reference freed module memory. The sequence is: 1. Driver load, ice_hwmon_init() gets called from ice_init_feature() 2. Devlink reload down, flow does not call ice_remove() 3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointer Fix this by moving ice_hwmon_exit() from ice_remove() to ice_deinit_features() to ensure proper cleanup symmetry with ice_hwmon_init(). | 2026-02-04 | not yet calculated | CVE-2026-23104 | https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60 https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation. | 2026-02-04 | not yet calculated | CVE-2026-23105 | https://git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254 https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835 https://git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26d https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6 https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: timekeeping: Adjust the leap state for the correct auxiliary timekeeper When __do_ajdtimex() was introduced to handle adjtimex for any timekeeper, this reference to tk_core was not updated. When called on an auxiliary timekeeper, the core timekeeper would be updated incorrectly. This gets caught by the lock debugging diagnostics because the timekeepers sequence lock gets written to without holding its associated spinlock: WARNING: include/linux/seqlock.h:226 at __do_adjtimex+0x394/0x3b0, CPU#2: test/125 aux_clock_adj (kernel/time/timekeeping.c:2979) __do_sys_clock_adjtime (kernel/time/posix-timers.c:1161 kernel/time/posix-timers.c:1173) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Update the correct auxiliary timekeeper. | 2026-02-04 | not yet calculated | CVE-2026-23106 | https://git.kernel.org/stable/c/8f7c9dbeaa0be5810e44d323735967d3dba9239d https://git.kernel.org/stable/c/e806f7dde8ba28bc72a7a0898589cac79f6362ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sve_state is NULL. In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state: | # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 | Internal error: Oops: 0000000096000046 [#1] SMP | Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | ---[ end trace 0000000000000000 ]--- Fix this by having restore_za_context() ensure that the task's sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed. | 2026-02-04 | not yet calculated | CVE-2026-23107 | https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214 https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9 https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23108 | https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240 https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9 https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796 https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes() Above the while() loop in wait_sb_inodes(), we document that we must wait for all pages under writeback for data integrity. Consequently, if a mapping, like fuse, traditionally does not have data integrity semantics, there is no need to wait at all; we can simply skip these inodes. This restores fuse back to prior behavior where syncs are no-ops. This fixes a user regression where if a system is running a faulty fuse server that does not reply to issued write requests, this causes wait_sb_inodes() to wait forever. | 2026-02-04 | not yet calculated | CVE-2026-23109 | https://git.kernel.org/stable/c/3f4ed5e2b8f111553562507ad6202432c7c57731 https://git.kernel.org/stable/c/f9a49aa302a05e91ca01f69031cb79a0ea33031f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SCSI layer to fail to wake the error handler, leaving I/O through the SCSI host stuck as the error state cannot advance. First, there is an memory ordering issue within scsi_dec_host_busy(). The write which clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU will see its own write, reordering can allow other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to see a host busy equal to the host_failed count. This race condition can be prevented with a memory barrier on the error path to force the write to be visible before counting host busy commands. Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By counting busy commands before incrementing host_failed, it can race with a final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does not see host_failed incremented but scsi_eh_inc_host_failed() counts busy commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), resulting in neither waking the error handler task. This needs the call to scsi_host_busy() to be moved after host_failed is incremented to close the race condition. | 2026-02-04 | not yet calculated | CVE-2026-23110 | https://git.kernel.org/stable/c/cc872e35c0df80062abc71268d690a2f749e542e https://git.kernel.org/stable/c/6d9a367be356101963c249ebf10ea10b32886607 https://git.kernel.org/stable/c/9fdc6f28d5e81350ab1d2cac8389062bd09e61e1 https://git.kernel.org/stable/c/64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0 https://git.kernel.org/stable/c/219f009ebfd1ef3970888ee9eef4c8a06357f862 https://git.kernel.org/stable/c/fe2f8ad6f0999db3b318359a01ee0108c703a8c3 |
| Six Apart Ltd.--Movable Type (Software Edition) | A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-23704 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Apache Software Foundation--Apache Syncope | Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | 2026-02-03 | not yet calculated | CVE-2026-23794 | https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo |
| Apache Software Foundation--Apache Syncope | Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | 2026-02-03 | not yet calculated | CVE-2026-23795 | https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos |
| OpenSolution--Quick.Cart | Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-02-05 | not yet calculated | CVE-2026-23796 | https://opensolution.org/sklep-internetowy-quick-cart.html https://cert.pl/posts/2026/02/CVE-2026-23796 |
| OpenSolution--Quick.Cart | In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-02-05 | not yet calculated | CVE-2026-23797 | https://opensolution.org/sklep-internetowy-quick-cart.html https://cert.pl/posts/2026/02/CVE-2026-23796 |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24040 | https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4 https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24043 | https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422 https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| zulip--zulip | Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5. | 2026-02-06 | not yet calculated | CVE-2026-24050 | https://github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9 https://github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7 https://github.com/zulip/zulip/releases/tag/11.5 https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-11-5 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111. | 2026-02-03 | not yet calculated | CVE-2026-24052 | https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74. | 2026-02-03 | not yet calculated | CVE-2026-24053 | https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r |
| Native Instruments--Native Access | During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement: "anchor trusted and certificate leaf[subject.CN] = \"Developer ID Application: Native Instruments GmbH (83K5EG6Z9V)\"" The Native Access application was found to be signed with the `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` entitlements leading to DYLIB injection and therefore command execution in the context of this application. A low privileged user can exploit the DYLIB injection to trigger functions of the privileged helper XPC service resulting in privilege escalation by first deleting the /etc/sudoers file and then copying a malicious version of that file to /etc/sudoers. | 2026-02-02 | not yet calculated | CVE-2026-24070 | https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/ |
| Native Instruments--Native Access | It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks. | 2026-02-02 | not yet calculated | CVE-2026-24071 | https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/ |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24133 | https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| gogs--gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2026-24135 | https://github.com/gogs/gogs/security/advisories/GHSA-jp7c-wj6q-3qf2 |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. | 2026-02-06 | not yet calculated | CVE-2026-24416 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4 |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. | 2026-02-06 | not yet calculated | CVE-2026-24417 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. | 2026-02-06 | not yet calculated | CVE-2026-24418 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. | 2026-02-06 | not yet calculated | CVE-2026-24419 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6 |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim's browser context. | 2026-02-03 | not yet calculated | CVE-2026-24426 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-reflected-xss-via-web-interface-output-encoding |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configuration response bodies. In addition, responses lack appropriate Cache-Control directives, which may permit web browsers to cache pages containing these credentials and enable subsequent disclosure to an attacker with access to the client system or browser profile. | 2026-02-03 | not yet calculated | CVE-2026-24427 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-exposes-admin-credentials-in-configuration-responses |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings. | 2026-02-03 | not yet calculated | CVE-2026-24434 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-web-interface-lacks-csrf-protections-for-admin-actions |
| Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. | 2026-02-03 | not yet calculated | CVE-2026-24441 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-transmits-admin-credentials-without-https-protection |
| Six Apart Ltd.--Movable Type (Software Edition) | If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-24447 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| ELECOM CO.,LTD.--WRC-X1500GS-B | For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information. | 2026-02-03 | not yet calculated | CVE-2026-24449 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| ELECOM CO.,LTD.--WAB-S733IW2-PD | Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices. A crafted packet may lead to arbitrary code execution. | 2026-02-03 | not yet calculated | CVE-2026-24465 | https://www.elecom.co.jp/news/security/20260203-01/ https://www.elecom.co.jp/news/security/20260203-02/ https://jvn.jp/en/jp/JVN94012927/ |
| continuwuity--continuwuity | continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9. | 2026-02-02 | not yet calculated | CVE-2026-24471 | https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900 |
| Roland Corporation--Roland Cloud Manager | The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the application. | 2026-02-03 | not yet calculated | CVE-2026-24694 | https://www.roland.com/global/products/rc_roland_cloud_manager/support/#dl-support_documents https://jvn.jp/en/jp/JVN89992160/ |
| Apache Software Foundation--Apache Answer | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue. | 2026-02-04 | not yet calculated | CVE-2026-24735 | https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82. | 2026-02-03 | not yet calculated | CVE-2026-24762 | https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr |
| RaspAP--raspap-webgui | RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product. | 2026-02-02 | not yet calculated | CVE-2026-24788 | https://github.com/RaspAP/raspap-webgui/releases https://jvn.jp/en/jp/JVN27202136/ |
| openfga--openfga | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3. | 2026-02-06 | not yet calculated | CVE-2026-24851 | https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9 https://github.com/openfga/openfga/releases/tag/v1.11.3 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72. | 2026-02-03 | not yet calculated | CVE-2026-24887 | https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w |
| AlgoNetLab--OrcaStatLLM-Researcher | OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through malicious research topic inputs. | 2026-02-06 | not yet calculated | CVE-2026-24903 | https://github.com/AlgoNetLab/OrcaStatLLM-Researcher/security/advisories/GHSA-47wv-g894-82m4 |
| ASUSTOR--ADM | The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user's account email, MD5 hashed password, and device serial number. This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24932 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24933 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24934 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24935 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR--ADM | When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24936 | https://www.asustor.com/security/security_advisory_detail?id=51 |
| Ajay--Better Search | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS. This issue affects Better Search: from n/a through <= 4.2.1. | 2026-02-03 | not yet calculated | CVE-2026-24938 | https://patchstack.com/database/Wordpress/Plugin/better-search/vulnerability/wordpress-better-search-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill--Modula Image Gallery | Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Modula Image Gallery: from n/a through <= 2.13.6. | 2026-02-03 | not yet calculated | CVE-2026-24939 | https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-6-broken-access-control-vulnerability?_s_id=cve |
| Themefic--Travelfic Toolkit | Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travelfic Toolkit: from n/a through <= 1.3.3. | 2026-02-03 | not yet calculated | CVE-2026-24940 | https://patchstack.com/database/Wordpress/Plugin/travelfic-toolkit/vulnerability/wordpress-travelfic-toolkit-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| magepeopleteam--WpEvently | Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through <= 5.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24942 | https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Themefic--Ultimate Addons for Contact Form 7 | Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34. | 2026-02-03 | not yet calculated | CVE-2026-24945 | https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-contact-form-7/vulnerability/wordpress-ultimate-addons-for-contact-form-7-plugin-3-5-34-broken-access-control-vulnerability?_s_id=cve |
| LA-Studio--LA-Studio Element Kit for Elementor | Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3. | 2026-02-03 | not yet calculated | CVE-2026-24947 | https://patchstack.com/database/Wordpress/Plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-5-6-3-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--myCred | Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects myCred: from n/a through <= 2.9.7.3. | 2026-02-03 | not yet calculated | CVE-2026-24951 | https://patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerability?_s_id=cve |
| Craig Hewitt--Seriously Simple Podcasting | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | 2026-02-03 | not yet calculated | CVE-2026-24952 | https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| magepeopleteam--WpEvently | Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection. This issue affects WpEvently: from n/a through <= 5.0.8. | 2026-02-03 | not yet calculated | CVE-2026-24954 | https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| WP Chill--Strong Testimonials | Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Strong Testimonials: from n/a through <= 3.2.20. | 2026-02-03 | not yet calculated | CVE-2026-24957 | https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve |
| Crocoblock--JetElements For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS. This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2. | 2026-02-03 | not yet calculated | CVE-2026-24958 | https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Blog | Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery. This issue affects Grand Blog: from n/a through < 3.1.5. | 2026-02-03 | not yet calculated | CVE-2026-24961 | https://patchstack.com/database/Wordpress/Theme/grandblog/vulnerability/wordpress-grand-blog-theme-3-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Brainstorm Force--Sigmize | Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery. This issue affects Sigmize: from n/a through <= 0.0.9. | 2026-02-03 | not yet calculated | CVE-2026-24962 | https://patchstack.com/database/Wordpress/Plugin/sigmize/vulnerability/wordpress-sigmize-plugin-0-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Wasiliy Strecker / ContestGallery developer--Contest Gallery | Missing Authorization vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contest Gallery: from n/a through <= 28.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24965 | https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-1-broken-access-control-vulnerability?_s_id=cve |
| Copyscape--Copyscape Premium | Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery. This issue affects Copyscape Premium: from n/a through <= 1.4.1. | 2026-02-03 | not yet calculated | CVE-2026-24966 | https://patchstack.com/database/Wordpress/Plugin/copyscape-premium/vulnerability/wordpress-copyscape-premium-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ameliabooking--Amelia | Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through <= 1.2.38. | 2026-02-03 | not yet calculated | CVE-2026-24967 | https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve |
| Brainstorm Force--Spectra | Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spectra: from n/a through <= 2.19.17. | 2026-02-03 | not yet calculated | CVE-2026-24982 | https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-gutenberg/vulnerability/wordpress-spectra-plugin-2-19-17-broken-access-control-vulnerability?_s_id=cve |
| Brecht--Visual Link Preview | Missing Authorization vulnerability in Brecht Visual Link Preview visual-link-preview allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Visual Link Preview: from n/a through <= 2.2.9. | 2026-02-03 | not yet calculated | CVE-2026-24984 | https://patchstack.com/database/Wordpress/Plugin/visual-link-preview/vulnerability/wordpress-visual-link-preview-plugin-2-2-9-broken-access-control-vulnerability?_s_id=cve |
| approveme--WP Forms Signature Contract Add-On | Missing Authorization vulnerability in approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Forms Signature Contract Add-On: from n/a through <= 1.8.2. | 2026-02-03 | not yet calculated | CVE-2026-24985 | https://patchstack.com/database/Wordpress/Plugin/wp-forms-signature-contract-add-on/vulnerability/wordpress-wp-forms-signature-contract-add-on-plugin-1-8-2-broken-access-control-to-notice-dismissal-vulnerability?_s_id=cve |
| wp.insider--Simple Membership WP user Import | Cross-Site Request Forgery (CSRF) vulnerability in wp.insider Simple Membership WP user Import simple-membership-wp-user-import allows Cross Site Request Forgery. This issue affects Simple Membership WP user Import: from n/a through <= 1.9.1. | 2026-02-03 | not yet calculated | CVE-2026-24986 | https://patchstack.com/database/Wordpress/Plugin/simple-membership-wp-user-import/vulnerability/wordpress-simple-membership-wp-user-import-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Brian Hogg--The Events Calendar Shortcode & Block | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode & Block the-events-calendar-shortcode allows Stored XSS. This issue affects The Events Calendar Shortcode & Block: from n/a through <= 3.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24988 | https://patchstack.com/database/Wordpress/Plugin/the-events-calendar-shortcode/vulnerability/wordpress-the-events-calendar-shortcode-block-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Fahad Mahmood--WP Docs | Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Docs: from n/a through <= 2.2.8. | 2026-02-03 | not yet calculated | CVE-2026-24990 | https://patchstack.com/database/Wordpress/Plugin/wp-docs/vulnerability/wordpress-wp-docs-plugin-2-2-8-broken-access-control-vulnerability?_s_id=cve |
| HT Plugins--Extensions For CF7 | Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Extensions For CF7: from n/a through <= 3.4.0. | 2026-02-03 | not yet calculated | CVE-2026-24991 | https://patchstack.com/database/Wordpress/Plugin/extensions-for-cf7/vulnerability/wordpress-extensions-for-cf7-plugin-3-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WPFactory--Advanced WooCommerce Product Sales Reporting | Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.2. | 2026-02-03 | not yet calculated | CVE-2026-24992 | https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| sunshinephotocart--Sunshine Photo Cart | Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.2. | 2026-02-03 | not yet calculated | CVE-2026-24994 | https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-7-2-broken-access-control-vulnerability?_s_id=cve |
| Iulia Cazan--Latest Post Shortcode | Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Latest Post Shortcode: from n/a through <= 14.2.0. | 2026-02-03 | not yet calculated | CVE-2026-24995 | https://patchstack.com/database/Wordpress/Plugin/latest-post-shortcode/vulnerability/wordpress-latest-post-shortcode-plugin-14-2-0-broken-access-control-vulnerability?_s_id=cve |
| wpelemento--WPElemento Importer | Missing Authorization vulnerability in wpelemento WPElemento Importer wpelemento-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPElemento Importer: from n/a through <= 0.6.4. | 2026-02-03 | not yet calculated | CVE-2026-24996 | https://patchstack.com/database/Wordpress/Plugin/wpelemento-importer/vulnerability/wordpress-wpelemento-importer-plugin-0-6-4-broken-access-control-vulnerability?_s_id=cve |
| Wired Impact--Wired Impact Volunteer Management | Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8. | 2026-02-03 | not yet calculated | CVE-2026-24997 | https://patchstack.com/database/Wordpress/Plugin/wired-impact-volunteer-management/vulnerability/wordpress-wired-impact-volunteer-management-plugin-2-8-broken-access-control-vulnerability?_s_id=cve |
| WPMU DEV - Your All-in-One WordPress Platform--Hustle | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data. This issue affects Hustle: from n/a through <= 7.8.9.2. | 2026-02-03 | not yet calculated | CVE-2026-24998 | https://patchstack.com/database/Wordpress/Plugin/wordpress-popup/vulnerability/wordpress-hustle-plugin-7-8-9-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| ILLID--Share This Image | Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Share This Image: from n/a through <= 2.09. | 2026-02-03 | not yet calculated | CVE-2026-25010 | https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-09-broken-access-control-vulnerability?_s_id=cve |
| Northern Beaches Websites--WP Custom Admin Interface | Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Custom Admin Interface: from n/a through <= 7.41. | 2026-02-03 | not yet calculated | CVE-2026-25011 | https://patchstack.com/database/Wordpress/Plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-41-broken-access-control-vulnerability?_s_id=cve |
| gfazioli--WP Bannerize Pro | Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bannerize Pro: from n/a through <= 1.11.0. | 2026-02-03 | not yet calculated | CVE-2026-25012 | https://patchstack.com/database/Wordpress/Plugin/wp-bannerize-pro/vulnerability/wordpress-wp-bannerize-pro-plugin-1-11-0-broken-access-control-vulnerability?_s_id=cve |
| themelooks--Enter Addons | Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery. This issue affects Enter Addons: from n/a through <= 2.3.2. | 2026-02-03 | not yet calculated | CVE-2026-25014 | https://patchstack.com/database/Wordpress/Plugin/enteraddons/vulnerability/wordpress-enter-addons-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Stiofan--UsersWP | Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery. This issue affects UsersWP: from n/a through <= 1.2.53. | 2026-02-03 | not yet calculated | CVE-2026-25015 | https://patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-53-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Nelio Software--Nelio Popups | Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nelio Popups: from n/a through <= 1.3.5. | 2026-02-03 | not yet calculated | CVE-2026-25016 | https://patchstack.com/database/Wordpress/Plugin/nelio-popups/vulnerability/wordpress-nelio-popups-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve |
| Vito Peleg--Atarim | Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Atarim: from n/a through <= 4.3.1. | 2026-02-03 | not yet calculated | CVE-2026-25019 | https://patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve |
| WP connect--WP Sync for Notion | Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Sync for Notion: from n/a through <= 1.7.0. | 2026-02-03 | not yet calculated | CVE-2026-25020 | https://patchstack.com/database/Wordpress/Plugin/wp-sync-for-notion/vulnerability/wordpress-wp-sync-for-notion-plugin-1-7-0-broken-access-control-vulnerability?_s_id=cve |
| Mizan Themes--Mizan Demo Importer | Missing Authorization vulnerability in Mizan Themes Mizan Demo Importer mizan-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mizan Demo Importer: from n/a through <= 0.1.3. | 2026-02-03 | not yet calculated | CVE-2026-25021 | https://patchstack.com/database/Wordpress/Plugin/mizan-demo-importer/vulnerability/wordpress-mizan-demo-importer-plugin-0-1-3-broken-access-control-vulnerability?_s_id=cve |
| Iqonic Design--KiviCare | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection. This issue affects KiviCare: from n/a through <= 3.6.16. | 2026-02-03 | not yet calculated | CVE-2026-25022 | https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-sql-injection-vulnerability?_s_id=cve |
| mdedev--Run Contests, Raffles, and Giveaways with ContestsWP | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7. | 2026-02-03 | not yet calculated | CVE-2026-25023 | https://patchstack.com/database/Wordpress/Plugin/contest-code-checker/vulnerability/wordpress-run-contests-raffles-and-giveaways-with-contestswp-plugin-2-0-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| Blair Williams--ThirstyAffiliates | Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery. This issue affects ThirstyAffiliates: from n/a through <= 3.11.9. | 2026-02-03 | not yet calculated | CVE-2026-25024 | https://patchstack.com/database/Wordpress/Plugin/thirstyaffiliates/vulnerability/wordpress-thirstyaffiliates-plugin-3-11-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThemeMove--Unicamp | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through <= 2.7.1. | 2026-02-03 | not yet calculated | CVE-2026-25027 | https://patchstack.com/database/Wordpress/Theme/unicamp/vulnerability/wordpress-unicamp-theme-2-7-1-local-file-inclusion-vulnerability?_s_id=cve |
| Element Invader--ElementInvader Addons for Elementor | Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.1. | 2026-02-03 | not yet calculated | CVE-2026-25028 | https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-4-1-broken-access-control-vulnerability?_s_id=cve |
| WP Chill--Passster | Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Passster: from n/a through <= 4.2.25. | 2026-02-03 | not yet calculated | CVE-2026-25036 | https://patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-25-broken-access-control-vulnerability?_s_id=cve |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2. | 2026-02-04 | not yet calculated | CVE-2026-25049 | https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8 https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2. | 2026-02-04 | not yet calculated | CVE-2026-25051 | https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323 https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0. | 2026-02-04 | not yet calculated | CVE-2026-25052 | https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0. | 2026-02-04 | not yet calculated | CVE-2026-25053 | https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1. | 2026-02-04 | not yet calculated | CVE-2026-25054 | https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0. | 2026-02-04 | not yet calculated | CVE-2026-25055 | https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0. | 2026-02-04 | not yet calculated | CVE-2026-25056 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8. | 2026-02-04 | not yet calculated | CVE-2026-25115 | https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5. | 2026-02-02 | not yet calculated | CVE-2026-25134 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849 https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b |
| RIOT-OS--RIOT | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2026-25139 | https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0. | 2026-02-03 | not yet calculated | CVE-2026-25148 | https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094 |
| QwikDev--qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0. | 2026-02-03 | not yet calculated | CVE-2026-25149 | https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed |
| web2py--web2py | web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. | 2026-02-05 | not yet calculated | CVE-2026-25198 | https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df https://github.com/web2py/web2py/releases https://web2py.com/ https://jvn.jp/en/jp/JVN46925341/ |
| polarnl--PolarLearn | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker. | 2026-02-02 | not yet calculated | CVE-2026-25221 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-fhhm-574m-7rpw https://github.com/polarnl/PolarLearn/commit/44669bbb5b647c7625f22dd82f3121c7d7bfbe19 |
| polarnl--PolarLearn | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms). | 2026-02-02 | not yet calculated | CVE-2026-25222 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5 https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25233 | https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25234 | https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25235 | https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25236 | https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25237 | https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23 |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25238 | https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25239 | https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25240 | https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f |
| pear--pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25241 | https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p |
| langroid--langroid | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32. | 2026-02-04 | not yet calculated | CVE-2026-25481 | https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25482 | https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65 https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce's Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25483 | https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25484 | https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25485 | https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25486 | https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25487 | https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25488 | https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25489 | https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25490 | https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| bpg--terraform-provider-proxmox | Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. | 2026-02-04 | not yet calculated | CVE-2026-25499 | https://github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544 https://github.com/bpg/terraform-provider-proxmox/commit/bd604c41a31e2a55dd6acc01b0608be3ea49c023 |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. | 2026-02-04 | not yet calculated | CVE-2026-25511 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3 |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. | 2026-02-04 | not yet calculated | CVE-2026-25512 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4 http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81. | 2026-02-04 | not yet calculated | CVE-2026-25513 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99 https://github.com/NeoRazorX/facturascripts/commit/1b6cdfa9ee1bb3365ea4a4ad753452035a027605 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81. | 2026-02-04 | not yet calculated | CVE-2026-25514 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952 https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f |
| wagtail--wagtail | Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3. | 2026-02-04 | not yet calculated | CVE-2026-25517 | https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348 https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719 https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190 https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915 https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03 |
| locutusjs--locutus | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39. | 2026-02-04 | not yet calculated | CVE-2026-25521 | https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c |
| craftcms--commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25522 | https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| agentfront--enclave | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1. | 2026-02-06 | not yet calculated | CVE-2026-25533 | https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf |
| Keats--jsonwebtoken | jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library's internal parsing mechanism marks the claim as "FailedToParse". Crucially, the validation logic treats this "FailedToParse" state identically to "NotPresent". This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like "Not Before" checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0. | 2026-02-04 | not yet calculated | CVE-2026-25537 | https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 |
| devtron-labs--devtron | Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26. | 2026-02-04 | not yet calculated | CVE-2026-25538 | https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f |
| tokio-rs--bytes | Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1. | 2026-02-04 | not yet calculated | CVE-2026-25541 | https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f https://github.com/tokio-rs/bytes/releases/tag/v1.11.1 https://rustsec.org/advisories/RUSTSEC-2026-0007.html |
| mganss--HtmlSanitizer | HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta. | 2026-02-04 | not yet calculated | CVE-2026-25543 | https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81 https://www.nuget.org/packages/HtmlSanitizer/9.0.892 https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta |
| isaacs--brace-expansion | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. | 2026-02-04 | not yet calculated | CVE-2026-25547 | https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2 |
| Artifex Software--MuPDF | MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. | 2026-02-06 | not yet calculated | CVE-2026-25556 | https://bugs.ghostscript.com/show_bug.cgi?id=709029 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1 https://mupdf.com/ https://www.vulncheck.com/advisories/mupdf-barcode-decoding-double-free |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication. | 2026-02-07 | not yet calculated | CVE-2026-25560 | https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships. | 2026-02-07 | not yet calculated | CVE-2026-25561 | https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users. | 2026-02-07 | not yet calculated | CVE-2026-25562 | https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | 2026-02-07 | not yet calculated | CVE-2026-25563 | https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | 2026-02-07 | not yet calculated | CVE-2026-25564 | https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | 2026-02-07 | not yet calculated | CVE-2026-25565 | https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves. | 2026-02-07 | not yet calculated | CVE-2026-25566 | https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. | 2026-02-07 | not yet calculated | CVE-2026-25567 | https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid |
| WeKan--WeKan | WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement. | 2026-02-07 | not yet calculated | CVE-2026-25568 | https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass |
| TUM-Dev--NavigaTUM | NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7. | 2026-02-04 | not yet calculated | CVE-2026-25575 | https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm https://github.com/TUM-Dev/NavigaTUM/pull/2650 https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0 |
| navidrome--navidrome | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0. | 2026-02-04 | not yet calculated | CVE-2026-25579 | https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3 https://github.com/navidrome/navidrome/releases/tag/v0.60.0 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later. | 2026-02-06 | not yet calculated | CVE-2026-25631 | https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h |
| smn2gnt--MCP-Salesforce | MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10. | 2026-02-06 | not yet calculated | CVE-2026-25650 | https://github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58 https://github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6 https://github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57. | 2026-02-06 | not yet calculated | CVE-2026-25722 | https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled. This issue has been patched in version 2.0.55. | 2026-02-06 | not yet calculated | CVE-2026-25723 | https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7. | 2026-02-06 | not yet calculated | CVE-2026-25724 | https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2. | 2026-02-06 | not yet calculated | CVE-2026-25725 | https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf |
| time-rs--time | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. | 2026-02-06 | not yet calculated | CVE-2026-25727 | https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05 https://github.com/time-rs/time/releases/tag/v0.3.47 |
| lintsinghua--DeepAudit | DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information. | 2026-02-06 | not yet calculated | CVE-2026-25729 | https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd |
| frangoteam--FUXA | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-25751 | https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 |
| frangoteam--FUXA | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-25752 | https://github.com/frangoteam/FUXA/security/advisories/GHSA-ggxw-g3cp-mgf8 https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 |
| Praskla-Technology--assessment-placipy | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known. | 2026-02-06 | not yet calculated | CVE-2026-25753 | https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2 |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | 2026-02-06 | not yet calculated | CVE-2026-25757 | https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | 2026-02-06 | not yet calculated | CVE-2026-25758 | https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734 https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8 https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748 https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject's repository changes endpoint (/projects/:project_id/repository/changes) when rendering the "latest changes" view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3. | 2026-02-06 | not yet calculated | CVE-2026-25763 | https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7 https://github.com/opf/openproject/releases/tag/v16.6.7 https://github.com/opf/openproject/releases/tag/v17.0.3 |
| slackhq--nebula | Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3. | 2026-02-06 | not yet calculated | CVE-2026-25793 | https://github.com/slackhq/nebula/security/advisories/GHSA-69x3-g4r3-p962 https://github.com/slackhq/nebula/commit/f573e8a26695278f9d71587390fbfe0d0933aa21 |
| antrea-io--antrea | Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3. | 2026-02-06 | not yet calculated | CVE-2026-25804 | https://github.com/antrea-io/antrea/security/advisories/GHSA-86x4-wp9f-wrr9 https://github.com/antrea-io/antrea/pull/7496 https://github.com/antrea-io/antrea/commit/86c4b6010f3be536866f339b632621c23d7186fa |
| Shenzhen Tenda Technology--Tenda G300-F | Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. | 2026-02-07 | not yet calculated | CVE-2026-25857 | https://blog.evan.lat/blog/cve-2026-25857/ https://www.tendacn.com/material/show/736333682028613 https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag |
| macrozheng--mall | macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim's telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number. | 2026-02-07 | not yet calculated | CVE-2026-25858 | https://github.com/macrozheng/mall/issues/946 https://www.macrozheng.com/ https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure |
| WeKan--WeKan | Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | 2026-02-07 | not yet calculated | CVE-2026-25859 | https://github.com/wekan/wekan/commit/cbb1cd78de3e40264a5e047ace0ce27f8635b4e6 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-migration-functionality-insufficient-permission-checks |
Vulnerability Summary for the Week of January 26, 2026
Posted on Monday February 02, 2026
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10-Strike Software--Bandwidth Monitor | 10-Strike Bandwidth Monitor 3.9 contains a buffer overflow vulnerability that allows attackers to bypass SafeSEH, ASLR, and DEP protections through carefully crafted input. Attackers can exploit the vulnerability by sending a malicious payload to the application's registration key input, enabling remote code execution and launching arbitrary system commands. | 2026-01-30 | 9.8 | CVE-2020-37043 | ExploitDB-48570 Product Webpage VulnCheck Advisory: 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow |
| 10-Strike Software--Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.65 contains a buffer overflow vulnerability in exception handling that allows remote attackers to execute arbitrary code. Attackers can craft a malicious file with 209 bytes of padding and a specially constructed Structured Exception Handler to trigger code execution. | 2026-01-28 | 9.8 | CVE-2020-36961 | ExploitDB-49134 10-Strike Network Inventory Explorer Vendor Homepage VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH) |
| 10-Strike--Bandwidth Monitor | 10-Strike Bandwidth Monitor 3.9 contains an unquoted service path vulnerability in multiple services that allows local attackers to escalate privileges. Attackers can place a malicious executable in specific file path locations to achieve privilege escalation to SYSTEM during service startup. | 2026-01-29 | 7.8 | CVE-2020-37021 | ExploitDB-48591 Vendor Homepage VulnCheck Advisory: Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path |
| Acer--Global Registration Service | Acer Global Registration Service 1.0.0.3 contains an unquoted service path vulnerability in its service configuration that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Acer\Registration\ to inject malicious executables that would run with elevated LocalSystem privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36976 | ExploitDB-49142 Acer Official Homepage VulnCheck Advisory: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path |
| Ajenti Project--Ajenti | Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port. | 2026-01-29 | 9.8 | CVE-2020-37002 | ExploitDB-48929 Ajenti GitHub Repository VulnCheck Advisory: Ajenti 2.1.36 - Remote Code Execution |
| Akn Software Computer Import Export Industry and Trade Ltd.--QR Menu | Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12. | 2026-01-29 | 8 | CVE-2025-7016 | https://www.usom.gov.tr/bildirim/tr-26-0006 |
| aliasrobotics--cai | Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix. | 2026-01-30 | 9.7 | CVE-2026-25130 | https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60 |
| amitkolloldey--e-learning PHP Script | e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information. | 2026-01-30 | 8.2 | CVE-2020-37035 | ExploitDB-48629 Vendor Homepage VulnCheck Advisory: e-learning Php Script 0.1.0 - 'search' SQL Injection |
| ammarfaizi2--Tea LaTex | Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action. | 2026-01-29 | 9.8 | CVE-2020-37012 | ExploitDB-48805 Vendor Homepage VulnCheck Advisory: Tea LaTex 1.0 - Remote Code Execution |
| Andrea Electronics--Andrea ST Filters Service | Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup. | 2026-01-30 | 7.8 | CVE-2020-37058 | ExploitDB-48396 Andrea Electronics Official Homepage VulnCheck Advisory: Andrea ST Filters Service 1.0.64.7 - Unquoted service path |
| Arcadia Technology, LLC--Crafty Controller | An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | 2026-01-30 | 9.9 | CVE-2026-0963 | GitLab Issue #660 |
| Arcadia Technology, LLC--Crafty Controller | An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | 2026-01-30 | 8.2 | CVE-2026-0805 | GitLab Issue #650 |
| asc Applied Software Consultants, s.r.o.--asc Timetables | aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,000-character buffer and paste it into the subject title to trigger application instability and potential crash. | 2026-01-28 | 7.5 | CVE-2020-36943 | ExploitDB-49147 Vendor Homepage Software Download Page VulnCheck Advisory: aSc TimeTables 2021.6.2 - Denial of Service |
| Ashkon Software--Simple Startup Manager | Simple Startup Manager 1.17 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory through the 'File' input parameter. Attackers can craft a malicious payload with 268 bytes to trigger code execution, bypassing DEP and overwriting memory addresses to launch calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37031 | ExploitDB-48678 Product Webpage VulnCheck Advisory: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow |
| Atheros--Coex Service Application | Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36979 | ExploitDB-49053 Vendor Homepage Software Download Link VulnCheck Advisory: Atheros Coex Service Application 8.0.0.255 -'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path |
| avalanche123--Cassandra Web | Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. Attackers can exploit the disabled Rack::Protection module to read sensitive system files like /etc/passwd and retrieve Apache Cassandra database credentials. | 2026-01-27 | 7.5 | CVE-2020-36939 | ExploitDB-49362 Cassandra Web GitHub Repository Cassandra Web RubyGems Package VulnCheck Advisory: Cassandra Web 0.5.0 - Remote File Read |
| Avast--AVAST SecureLine | Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-02-01 | 7.8 | CVE-2020-37037 | ExploitDB-48249 Avast Official Homepage VulnCheck Advisory: AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package. | 2026-01-30 | 7.7 | CVE-2026-25153 | https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf |
| Barcode-Ocr--BarcodeOCR | BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem privileges. | 2026-01-29 | 7.8 | CVE-2020-37016 | ExploitDB-48740 BarcodeOCR Official Homepage VulnCheck Advisory: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path |
| BearshareOfficial--BearShare Lite | BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the Advanced Search keywords input that allows attackers to execute arbitrary code. Attackers can craft a specially designed payload to overwrite the EIP register and execute shellcode by pasting malicious content into the search keywords field. | 2026-01-29 | 9.8 | CVE-2020-37010 | ExploitDB-48839 Official BearShare Homepage BearShare Lite 5.2.5 Download Page VulnCheck Advisory: BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC) |
| Beckhoff Automation--Beckhoff.Device.Manager.XAR | A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. | 2026-01-27 | 8.8 | CVE-2025-41726 | https://certvde.com/de/advisories/VDE-2025-092 |
| Beckhoff Automation--Beckhoff.Device.Manager.XAR | A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | 2026-01-27 | 7.8 | CVE-2025-41727 | https://certvde.com/de/advisories/VDE-2025-092 |
| bentoml--BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue. | 2026-01-26 | 7.4 | CVE-2026-24123 | https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4 https://github.com/bentoml/BentoML/releases/tag/v1.4.34 |
| bloompixel--TableMaster for Elementor Advanced Responsive Tables for Elementor | The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter. | 2026-01-28 | 7.2 | CVE-2025-14610 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef07d6b0-ccdb-4b33-817f-6d4b3ad96243?source=cve https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/trunk/modules/data-table/widgets/data-table.php#L446 https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/tags/1.3.6/modules/data-table/widgets/data-table.php#L446 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442158%40tablemaster-for-elementor&new=3442158%40tablemaster-for-elementor&sfp_email=&sfph_mail= |
| Broadcom--Symantec Web Security Services Agent | WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 2026-01-28 | 7 | CVE-2025-13917 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36778 |
| C4illin--ConvertX | ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue. | 2026-01-27 | 8.1 | CVE-2026-24741 | https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue. | 2026-01-30 | 8.8 | CVE-2026-24854 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38 |
| Cleanersoft Software--Free MP3 CD Ripper | Free MP3 CD Ripper 2.8 contains a stack buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting a malicious WAV file with oversized payload. Attackers can leverage a specially crafted exploit file with shellcode, SEH bypass, and egghunter technique to achieve remote code execution on vulnerable Windows systems. | 2026-01-29 | 9.8 | CVE-2020-37000 | ExploitDB-48696 Vendor Homepage VulnCheck Advisory: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter) |
| code-projects--Online Examination System | A vulnerability was found in code-projects Online Examination System 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login Page. Performing a manipulation of the argument User results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-01-26 | 7.3 | CVE-2026-1422 | VDB-342838 | code-projects Online Examination System Login Page index.php sql injection VDB-342838 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736606 | code-projects Online Examination System 1 SQL Injection https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-2-sql-injection-on-login-page https://code-projects.org/ |
| code-projects--Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-01-26 | 7.3 | CVE-2026-1443 | VDB-342872 | code-projects Online Music Site AdminDeleteUser.php sql injection VDB-342872 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736967 | code-projects Online Music Site V1.0 SQL Injection https://github.com/Volije/cve/issues/1 https://code-projects.org/ |
| code-projects--Online Music Site | A weakness has been identified in code-projects Online Music Site 1.0. This affects an unknown function of the file /Administrator/PHP/AdminEditUser.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 7.3 | CVE-2026-1534 | VDB-343220 | code-projects Online Music Site AdminEditUser.php sql injection VDB-343220 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738705 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/3 https://code-projects.org/ |
| code-projects--Online Music Site | A security vulnerability has been detected in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Administrator/PHP/AdminReply.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-01-28 | 7.3 | CVE-2026-1535 | VDB-343221 | code-projects Online Music Site AdminReply.php sql injection VDB-343221 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738706 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/4 https://code-projects.org/ |
| Code::Blocks--Code::Blocks | Code Blocks 17.12 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious file name with Unicode characters. Attackers can trigger the vulnerability by pasting a specially crafted payload into the file name field during project creation, potentially executing system commands like calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37040 | ExploitDB-48594 Code Blocks Official Website Code Blocks SourceForge Page VulnCheck Advisory: Code Blocks 17.12 - 'File Name' Local Buffer Overflow |
| Code::Blocks--Code::Blocks | Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger an application crash. | 2026-01-30 | 7.5 | CVE-2020-37038 | ExploitDB-48617 Code Blocks Official Homepage Code Blocks SourceForge Page VulnCheck Advisory: Code Blocks 20.03 - Denial Of Service |
| codexcube--Ultimate Project Manager CRM PRO | Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques. | 2026-01-29 | 8.2 | CVE-2020-37004 | ExploitDB-48912 Ultimate Project Manager CRM PRO Vendor Homepage VulnCheck Advisory: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage |
| Codriapp Innovation and Software Technologies Inc.--HeyGarson | Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping. This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process but did not respond in any way. | 2026-01-30 | 8.2 | CVE-2025-1395 | https://www.usom.gov.tr/bildirim/tr-26-0009 |
| crm-now GmbH--berliCRM | berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. | 2026-01-29 | 8.2 | CVE-2020-37006 | ExploitDB-48872 Vendor Homepage VulnCheck Advisory: berliCRM 1.0.24 - 'src_record' SQL Injection |
| Crystal Shard--http-protection | Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access. | 2026-01-30 | 9.8 | CVE-2020-37056 | ExploitDB-48533 HTTP Protection Crystal Shard Repository VulnCheck Advisory: Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass |
| D-Link--DIR-615 | A vulnerability was detected in D-Link DIR-615 up to 4.10. This impacts an unknown function of the file /wiz_policy_3_machine.php of the component Web Management Interface. Performing a manipulation of the argument ipaddr results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-26 | 7.2 | CVE-2026-1448 | VDB-342880 | D-Link DIR-615 Web Management wiz_policy_3_machine.php os command injection VDB-342880 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737006 | Dlink DIR615 Firmware v4.10 and earlier (DIR-615 Rev D) OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-v4-10-2e7e5dd4c5a580a5aac5c8ce35933396?pvs=73 https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 7.2 | CVE-2026-1505 | VDB-343117 | D-Link DIR-615 URL Filter set_temp_nodes.php os command injection VDB-343117 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737061 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/D-Link-DIR-615-2e7e5dd4c5a580109a14fdeb6f105cd6 https://www.dlink.com/ |
| D-Link--DIR-615 | A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 7.2 | CVE-2026-1506 | VDB-343118 | D-Link DIR-615 MAC Filter Configuration adv_mac_filter.php os command injection VDB-343118 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737078 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-MAC_FILTER-2e7e5dd4c5a58091b027f50271cc7c6a https://www.dlink.com/ |
| Dassault Systmes--SOLIDWORKS eDrawings | A Heap-based Buffer Overflow vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | 2026-01-26 | 7.8 | CVE-2026-1283 | https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1283 |
| Dassault Systmes--SOLIDWORKS eDrawings | An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | 2026-01-26 | 7.8 | CVE-2026-1284 | https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1284 |
| Deepinstinct--Deep Instinct Windows Agent | Deep Instinct Windows Agent 1.2.29.0 contains an unquoted service path vulnerability in the DeepMgmtService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepMgmtService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-02-01 | 7.8 | CVE-2020-37047 | ExploitDB-48174 Deep Instinct Official Homepage VulnCheck Advisory: Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path |
| Dell--CloudBoost Virtual Appliance | Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-27 | 7 | CVE-2026-21417 | https://www.dell.com/support/kbdoc/en-us/000419894/dsa-2026-025-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities |
| Dell--PremierColor | Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-01-28 | 7.8 | CVE-2025-46691 | https://www.dell.com/support/kbdoc/en-us/000394670/dsa-2025-444?lang=en |
| Dell--Unity | Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | 2026-01-30 | 7.8 | CVE-2026-21418 | https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities |
| Dell--UnityVSA | Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | 2026-01-30 | 7.8 | CVE-2026-22277 | https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities |
| Delta Electronics--ASDA-Soft | ASDA-Soft Stack-based Buffer Overflow Vulnerability | 2026-01-27 | 7.8 | CVE-2026-1361 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00003_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-1361).pdf |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 7.1 | CVE-2025-68479 | https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 7.6 | CVE-2025-68662 | https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 9.1 | CVE-2026-24838 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-w9pf-h6m6-v89h |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24833 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24836 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2g5g-hcgh-q3rp |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24837 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-vm5q-8qww-h238 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue. | 2026-01-28 | 9.9 | CVE-2026-24841 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue. | 2026-01-28 | 8 | CVE-2026-24840 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d |
| Drive-Software--Atomic Alarm Clock x86 | Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain persistent system-level access. | 2026-01-30 | 7.8 | CVE-2020-37060 | ExploitDB-48352 Vendor Homepage VulnCheck Advisory: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path |
| Dummysoftware--BacklinkSpeed | BacklinkSpeed 2.4 contains a buffer overflow vulnerability that allows attackers to corrupt the Structured Exception Handler (SEH) chain through malicious file import. Attackers can craft a specially designed payload file to overwrite SEH addresses, potentially executing arbitrary code and gaining control of the application. | 2026-01-29 | 9.8 | CVE-2020-36997 | ExploitDB-48726 Vendor Homepage Software Download Page VulnCheck Advisory: BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH) |
| Eclipse Foundation--Eclipse Theia - Website | In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository. | 2026-01-30 | 10 | CVE-2026-1699 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332 |
| Eclipse Foundation--Eclipse ThreadX | The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access. | 2026-01-27 | 7.8 | CVE-2026-0648 | https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-xj75-fc68-h4rw |
| Elaniin--Elaniin CMS | Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php, granting unauthorized access to the system. | 2026-01-29 | 8.2 | CVE-2020-36999 | ExploitDB-48705 Vendor Homepage Elaniin CMS GitHub Repository VulnCheck Advisory: elaniin CMS 1.0 - Authentication Bypass |
| Elektraweb--EasyPMS | EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication. | 2026-01-29 | 7.5 | CVE-2020-37008 | ExploitDB-48858 Vendor Homepage VulnCheck Advisory: EasyPMS 1.0.0 - Authentication Bypass |
| Enigmasoftware--SpyHunter | SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access during service startup. | 2026-02-01 | 7.8 | CVE-2020-37055 | ExploitDB-48172 Vendor Homepage VulnCheck Advisory: SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path |
| Epson--EPSON | EPSON 1.124 contains an unquoted service path vulnerability in the SENADB service that allows local attackers to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\ to inject malicious executables that will run with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36984 | ExploitDB-48965 EPSON Official Support Page VulnCheck Advisory: EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path |
| Epson--EPSON EasyMP Network Projection | EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\ to inject malicious code that would execute with LocalSystem privileges. | 2026-02-01 | 7.8 | CVE-2020-37064 | ExploitDB-48069 EPSON EasyMP Network Projection Support Page VulnCheck Advisory: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path |
| ErugoOSS--Erugo | Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue. | 2026-01-28 | 10 | CVE-2026-24897 | https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369 https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38 https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15 |
| Filehorse--Motorola Device Manager | Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36981 | ExploitDB-49011 Motorola Device Manager Download Page ExploitDB-49013 VulnCheck Advisory: Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path |
| Filigran--OpenCTI | OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | 2026-01-30 | 7.5 | CVE-2020-37041 | ExploitDB-48595 OpenCTI Official Homepage OpenCTI GitHub Repository VulnCheck Advisory: OpenCTI 3.3.1 - Directory Traversal |
| Flexense Ltd.--SyncBreeze | SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability. | 2026-01-27 | 7.5 | CVE-2020-36946 | ExploitDB-49291 Vendor Homepage VulnCheck Advisory: SyncBreeze 10.0.28 - 'login' Denial of Service |
| Forensit--ForensiTAppxService | ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-01-28 | 7.8 | CVE-2020-36989 | ExploitDB-48821 ForensiT Official Downloads Page VulnCheck Advisory: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path |
| Fortinet--FortiProxy | An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. | 2026-01-27 | 9.4 | CVE-2026-24858 | https://fortiguard.fortinet.com/psirt/FG-IR-26-060 |
| Frigate3--Frigate Professional | Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the Pack File feature that allows attackers to execute arbitrary code by overflowing the 'Archive To' input field. Attackers can craft a malicious payload that overwrites the Structured Exception Handler (SEH) and uses an egghunter technique to execute a reverse shell payload. | 2026-01-29 | 8.4 | CVE-2020-37001 | ExploitDB-48688 Archived Vendor Homepage VulnCheck Advisory: Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter) |
| Gearboxcomputers--IP Watcher | IP Watcher 3.0.0.30 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. | 2026-01-28 | 7.8 | CVE-2020-36985 | ExploitDB-48968 Vendor Homepage VulnCheck Advisory: IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path |
| Gearboxcomputers--Program Access Controller | Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36987 | ExploitDB-48966 Vendor Homepage VulnCheck Advisory: Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path |
| geraked--phpscript-sgh | Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques. | 2026-01-27 | 8.2 | CVE-2020-36951 | ExploitDB-49192 Vendor Homepage VulnCheck Advisory: Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection |
| gerstrong--Commander-Genius | Out-of-bounds Write vulnerability in gerstrong Commander-Genius. This issue affects Commander-Genius: before Release refs/pull/358/merge. | 2026-01-27 | 7.5 | CVE-2026-24827 | https://github.com/gerstrong/Commander-Genius/pull/379 |
| Getoutline--Outline Service | Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-30 | 7.8 | CVE-2020-37030 | ExploitDB-48414 Outline Service Official Homepage VulnCheck Advisory: Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path |
| Getpopcorntime--Popcorn Time | Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup. | 2026-01-30 | 7.8 | CVE-2020-37059 | ExploitDB-48378 Popcorn Time Official Homepage VulnCheck Advisory: Popcorn Time 6.2 - 'Update service' Unquoted Service Path |
| Gila CMS--Gila CMS | Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system commands by sending crafted requests to the admin endpoint. | 2026-01-27 | 9.8 | CVE-2021-47900 | ExploitDB-49412 Official Vendor Homepage Gila CMS GitHub Repository VulnCheck Advisory: Gila CMS < 2.0.0 - Remote Code Execution |
| Global Interactive Design Media Software Inc.--Content Management System (CMS) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS): through 21072025. | 2026-01-29 | 7.5 | CVE-2025-7713 | https://www.usom.gov.tr/bildirim/tr-26-0008 |
| Global Interactive Design Media Software Inc.--Content Management System (CMS) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection. This issue affects Content Management System (CMS): through 21072025. | 2026-01-29 | 7.5 | CVE-2025-7714 | https://www.usom.gov.tr/bildirim/tr-26-0008 |
| GNOME--Fonts Viewer | Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability that allows attackers to trigger an out-of-bounds write by crafting a malicious TTF font file. Attackers can generate a specially crafted TTF file with an oversized pattern to cause an infinite malloc() loop and potentially crash the gnome-font-viewer process. | 2026-01-29 | 7.5 | CVE-2020-37011 | ExploitDB-48803 Gnome Official Website Gnome Font Viewer App Webpage VulnCheck Advisory: Gnome Fonts Viewer 3.34.0 Heap Corruption |
| GnuPG--GnuPG | In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution. | 2026-01-27 | 8.1 | CVE-2026-24881 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8044 |
| GnuPG--GnuPG | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | 2026-01-27 | 8.4 | CVE-2026-24882 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8045 |
| Grafana--grafana/grafana | The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization internal privilege escalation. | 2026-01-27 | 8.1 | CVE-2026-21721 | https://grafana.com/security/security-advisories/CVE-2026-21721 |
| Grafana--grafana/grafana-enterprise | Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. | 2026-01-27 | 7.5 | CVE-2026-21720 | https://grafana.com/security/security-advisories/CVE-2026-21720 |
| guelfoweb--knock | Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications. | 2026-01-27 | 9.8 | CVE-2020-36941 | ExploitDB-49342 Knockpy GitHub Repository VulnCheck Advisory: Knockpy 4.1.1 - CSV Injection |
| hayyatapps--Sell BTC Cryptocurrency Selling Calculator | The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5. | 2026-01-31 | 7.2 | CVE-2025-14554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/720be34d-3fe4-4395-a27b-d386f8612ba9?source=cve https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions-admin.php#L39 https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions/form_tab.php#L12 https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/Pages/orders.php#L30 https://plugins.trac.wordpress.org/changeset/3433480/ https://plugins.trac.wordpress.org/changeset/3450361/ |
| HELLOWEB--HelloWeb | HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. | 2026-01-30 | 7.5 | CVE-2020-37034 | ExploitDB-48659 Archived HelloWeb Vendor Homepage VulnCheck Advisory: HelloWeb 2.0 - Arbitrary File Download |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Fabric Composer | Insecure file operations in HPE Aruba Networking Fabric Composer’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | 2026-01-27 | 7.2 | CVE-2026-23592 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Fabric Composer | A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory. | 2026-01-27 | 7.5 | CVE-2026-23593 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US |
| HIKSEMI--HS-AFS-S1H1 | Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages. | 2026-01-30 | 7.2 | CVE-2026-22623 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| Hikvision--DS-3WAP521-SI | Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. | 2026-01-30 | 7.2 | CVE-2026-0709 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-wireless-access-point-products/ |
| Hisense TransTech--Smart Bus Management System | A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 7.3 | CVE-2026-1449 | VDB-342881 | Hisense TransTech Smart Bus Management System TireMng.aspx Page_Load sql injection VDB-342881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737032 | Hisense TransTech Hisense Smart Bus Management System 1.0 SQL Injection https://github.com/master-abc/cve/issues/15 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Windows 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element. | 2026-01-30 | 8.4 | CVE-2025-36384 | https://www.ibm.com/support/pages/node/7257678 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. | 2026-01-30 | 7.2 | CVE-2025-36184 | https://www.ibm.com/support/pages/node/7257519 |
| IDT--IDT PC Audio | IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-01-26 | 7.8 | CVE-2020-36959 | ExploitDB-49191 Software Download Link VulnCheck Advisory: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path |
| iForwarder and upRedSun Technologies, LLC.--Port Forwarding Wizard | Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. Attackers can craft a malicious payload with an egg tag and overwrite SEH handlers to potentially execute shellcode on vulnerable Windows systems. | 2026-01-30 | 8.4 | CVE-2020-37025 | ExploitDB-48695 Vendor Homepage VulnCheck Advisory: Port Forwarding Wizard 4.8.0 - Buffer Overflow |
| ik80--YATinyWinFTP | YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buffer overflow and service crash. | 2026-01-28 | 9.8 | CVE-2020-36964 | ExploitDB-49127 YATinyWinFTP GitHub Repository VulnCheck Advisory: YATinyWinFTP - Denial of Service |
| immich-app--immich | immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue. | 2026-01-29 | 7.2 | CVE-2026-23896 | https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv |
| inc2734--Snow Monkey Forms | The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2026-01-28 | 9.8 | CVE-2026-1056 | https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/snow-monkey-forms.php#L186 https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58 https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Rest/Route/View.php#L189 https://plugins.trac.wordpress.org/changeset/3448278/ |
| infiniflow--ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a malicious ZIP archive. The MinerUParser class retrieves and extracts ZIP files from an external source (mineru_server_url). The extraction logic in `_extract_zip_no_root` fails to sanitize filenames within the ZIP archive. Commit 64c75d558e4a17a4a48953b4c201526431d8338f contains a patch for the issue. | 2026-01-27 | 9.8 | CVE-2026-24770 | https://github.com/infiniflow/ragflow/security/advisories/GHSA-v7cf-w7gj-pgf4 https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f |
| Inputdirector--Input Director | Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36990 | ExploitDB-48795 Input Director Official Homepage VulnCheck Advisory: Input Director 1.4.3 - 'Input Director' Unquoted Service Path |
| Insite Software--Infor Storefront B2B | Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to potentially extract or modify database information. | 2026-01-30 | 8.2 | CVE-2020-37033 | ExploitDB-48674 Archived Infor Storefront Homepage VulnCheck Advisory: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection |
| Intelbras--Intelbras Router RF 301K | Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication. | 2026-01-28 | 7.5 | CVE-2020-36963 | ExploitDB-49126 Intelbras Official Homepage VulnCheck Advisory: Intelbras Router RF 301K 1.1.2 - Authentication Bypass |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. | 2026-01-28 | 7.8 | CVE-2026-24856 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-w585-cv3v-c396 https://github.com/InternationalColorConsortium/iccDEV/issues/532 https://github.com/InternationalColorConsortium/iccDEV/pull/541 https://github.com/InternationalColorConsortium/iccDEV/commit/5e53a5d25923b7794ba44e390e9b35d391f2b9c1 |
| Iobit--IObit Uninstaller | IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup. | 2026-01-26 | 7.8 | CVE-2020-36952 | ExploitDB-49371 IObit Official Homepage VulnCheck Advisory: IObit Uninstaller 10 Pro - Unquoted Service Path |
| Is-Daouda--is-Engine | Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. | 2026-01-27 | 7.5 | CVE-2026-24828 | https://github.com/Is-Daouda/is-Engine/pull/6 |
| isaacs--node-tar | node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. | 2026-01-28 | 8.2 | CVE-2026-24842 | https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 |
| Iskysoft--Iskysoft Application Framework Service | Iskysoft Application Framework Service 2.4.3.241 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that would be run with the service's high-level system permissions. | 2026-02-01 | 7.8 | CVE-2020-37048 | ExploitDB-48171 Vendor Homepage VulnCheck Advisory: Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path |
| itsourcecode--Directory Management System | A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-30 | 7.3 | CVE-2026-1688 | VDB-343482 | itsourcecode Directory Management System index.php sql injection VDB-343482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741283 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/jackhong1236/CVE_1/issues/1 https://itsourcecode.com/ |
| itsourcecode--School Management System | A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 7.3 | CVE-2026-1545 | VDB-343229 | itsourcecode School Management System index.php sql injection VDB-343229 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739647 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/33 https://itsourcecode.com/ |
| itsourcecode--School Management System | A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/inquiry/index.php. This manipulation of the argument txtsearch causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-29 | 7.3 | CVE-2026-1589 | VDB-343352 | itsourcecode School Management System index.php sql injection VDB-343352 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740686 | itsourcecode School Management System v1.0 SQL Injection https://mega.nz/file/DQUWSY7Y#CLcuhD1KE2s0VtEvYqH_PDCyhpGS0HDo_MKj9sheUPA https://itsourcecode.com/ |
| itsourcecode--School Management System | A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-01-29 | 7.3 | CVE-2026-1590 | VDB-343353 | itsourcecode School Management System index.php sql injection VDB-343353 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740687 | itsourcecode School Management System v1.0 SQL Injection https://mega.nz/file/GYsm2Q7K#B7NUGX5Fy9iLYssM474U3zFsmZp_14v0n5Sp-5N95yI https://itsourcecode.com/ |
| itsourcecode--Society Management System | A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_expenses_query.php. Executing a manipulation of the argument detail can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 7.3 | CVE-2026-1593 | VDB-343355 | itsourcecode Society Management System edit_expenses_query.php sql injection VDB-343355 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740689 | itsourcecode Society Management System V1.0 SQL injection https://github.com/yyzq-wsx/for_cve/issues/3 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A security vulnerability has been detected in itsourcecode Society Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/add_expenses.php. The manipulation of the argument detail leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-01-29 | 7.3 | CVE-2026-1594 | VDB-343356 | itsourcecode Society Management System add_expenses.php sql injection VDB-343356 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740691 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/yyzq-wsx/for_cve/issues/2 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_student_query.php. The manipulation of the argument student_id results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2026-01-29 | 7.3 | CVE-2026-1595 | VDB-343357 | itsourcecode Society Management System edit_student_query.php sql injection VDB-343357 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740692 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/yyzq-wsx/for_cve/issues/1 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-01-30 | 7.3 | CVE-2026-1701 | VDB-343491 | itsourcecode Student Management System index.php sql injection VDB-343491 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742024 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/34 https://itsourcecode.com/ |
| Ivanti--Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | 2026-01-29 | 9.8 | CVE-2026-1281 | https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 |
| Ivanti--Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | 2026-01-29 | 9.8 | CVE-2026-1340 | https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 |
| ixray-team--ixray-1.6-stcop | Out-of-bounds Write vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 9.8 | CVE-2026-24832 | https://github.com/ixray-team/ixray-1.6-stcop/pull/257 |
| ixray-team--ixray-1.6-stcop | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 7.5 | CVE-2026-24831 | https://github.com/ixray-team/ixray-1.6-stcop/pull/248 |
| Juniper Networks--Session Smart Router | An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects Session Smart Conductor: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects WAN Assurance Managed Routers: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2. | 2026-01-27 | 9.8 | CVE-2025-21589 | https://supportportal.juniper.net/ https://support.juniper.net/support/eol/software/ssr/ https://kb.juniper.net/JSA94663 |
| K.soft--FTPDummy | FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. Attackers can craft a malicious preference file with carefully constructed shellcode to trigger a structured exception handler overwrite and execute system commands. | 2026-01-30 | 8.4 | CVE-2020-37029 | ExploitDB-48685 Official FTPDummy Software Homepage VulnCheck Advisory: FTPDummy 4.80 - Local Buffer Overflow |
| KiloView--Encoder Series E1 hardware Version 1.4 | A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product. | 2026-01-29 | 9.8 | CVE-2026-1453 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-029-01.json |
| Kite--Kite | Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate privileges on the system. | 2026-01-26 | 7.8 | CVE-2020-36958 | ExploitDB-49205 Vendor Homepage VulnCheck Advisory: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path |
| Kludex--python-multipart | Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations. | 2026-01-27 | 8.6 | CVE-2026-24486 | https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 https://github.com/Kludex/python-multipart/releases/tag/0.0.22 |
| Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co.--Online Exam and Assessment | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection. This issue affects Online Exam and Assessment: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-30 | 8.6 | CVE-2025-4686 | https://www.usom.gov.tr/bildirim/tr-26-0010 |
| kohler--hotcrp | HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user's browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer's browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP's API. Malicious documents could be uploaded to submission fields with "file upload" or "attachment" type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`. | 2026-01-30 | 7.3 | CVE-2026-25156 | https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476 https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323 https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5 |
| Koken--Koken CMS | Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension. | 2026-01-30 | 8.8 | CVE-2020-37023 | ExploitDB-48706 Koken CMS Official Homepage Softaculous Koken CMS Software Page Researcher PoC VulnCheck Advisory: Koken CMS 0.22.24 - Arbitrary File Upload |
| kyverno--kyverno | Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy's namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno's admission controller identity, targeting any API path allowed by that ServiceAccount's RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. | 2026-01-27 | 10 | CVE-2026-22039 | https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2 https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e |
| kyverno--kyverno | Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. | 2026-01-27 | 7.7 | CVE-2026-23881 | https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7 |
| LibreNMS--LibreNMS | LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection. | 2026-01-27 | 7.1 | CVE-2020-36947 | ExploitDB-49246 LibreNMS Official Website LibreNMS GitHub Repository LibreNMS Community VulnCheck Advisory: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection |
| loft-sh--loft | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed. | 2026-01-29 | 9.1 | CVE-2026-22806 | https://github.com/loft-sh/loft/security/advisories/GHSA-c539-w4ch-7wxq |
| M.J.M Soft--Quick Player | Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application's file loading mechanism, potentially enabling remote code execution. | 2026-01-30 | 9.8 | CVE-2020-37050 | ExploitDB-48564 Software Download Link Archived Researcher Blog Post Archived Researcher Video PoC VulnCheck Advisory: Quick Player 1.3 - '.m3l' Buffer Overflow |
| maurosoria--dirsearch | Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report. | 2026-01-27 | 9.8 | CVE-2021-47901 | ExploitDB-49370 dirsearch GitHub Repository VulnCheck Advisory: dirsearch 0.4.1 - CSV Injection |
| MedDream--MedDream PACS Server | MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevated privileges. | 2026-01-29 | 8.8 | CVE-2020-37009 | ExploitDB-48853 MedDream PACS Server Product Page VulnCheck Advisory: MedDream PACS Server 6.8.3.751 - Remote Code Execution |
| meshtastic--firmware | Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5. | 2026-01-27 | 8.2 | CVE-2025-55292 | https://github.com/meshtastic/firmware/security/advisories/GHSA-45vg-3f35-7ch2 https://github.com/meshtastic/firmware/commit/e5e8683cdba133e726033101586c3235a8678893 |
| Microsoft--Microsoft Office 2019 | Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. | 2026-01-26 | 7.8 | CVE-2026-21509 | Microsoft Office Security Feature Bypass Vulnerability |
| midgetspy--Sickbeard | Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote code on the vulnerable Sickbeard installation. | 2026-01-30 | 9.8 | CVE-2020-37027 | ExploitDB-48646 Archived Sickbeard Official Homepage Sickbeard GitHub Repository VulnCheck Advisory: Sickbeard 0.1 - Remote Command Injection |
| Mini-stream Software--RM Downloader | RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the 'Load' parameter that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload with an egg hunter technique to bypass memory protections and execute commands like launching calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37036 | ExploitDB-48628 Software v2.50.60 Archive Software Informer Product Page VulnCheck Advisory: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow |
| Minitool--MiniTool ShadowMaker | MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\MiniTool ShadowMaker\AgentService.exe' to inject malicious executables and escalate privileges. | 2026-01-26 | 7.8 | CVE-2020-36953 | ExploitDB-49336 Vendor Homepage VulnCheck Advisory: MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue. | 2026-01-26 | 7.2 | CVE-2026-24478 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv |
| MobSF--Mobile-Security-Framework-MobSF | MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue. | 2026-01-27 | 8.1 | CVE-2026-24490 | https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5 |
| Motorola-Device-Manager--Motorola Device Manager | Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36982 | ExploitDB-49012 Motorola Device Manager Vendor Homepage VulnCheck Advisory: Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path |
| n8n--n8n | n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. | 2026-01-27 | 9.9 | CVE-2026-1470 | https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04 https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/ |
| NaturalIntelligence--fast-xml-parser | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue. | 2026-01-30 | 7.5 | CVE-2026-25128 | https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4 |
| Naviwebs S.C.--Navigate CMS | Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | 2026-01-30 | 7.1 | CVE-2020-37053 | ExploitDB-48545 Navigate CMS Official Homepage Navigate CMS SourceForge Page VulnCheck Advisory: Navigate CMS 2.8.7 - ''sidx' SQL Injection |
| NetPCLinker--NetPCLinker | NetPCLinker 1.0.0.0 contains a buffer overflow vulnerability in the Clients Control Panel DNS/IP field that allows attackers to execute arbitrary shellcode. Attackers can craft a malicious payload in the DNS/IP input to overwrite SEH handlers and execute shellcode when adding a new client. | 2026-01-30 | 9.8 | CVE-2019-25232 | ExploitDB-48680 NetPCLinker SourceForge Page VulnCheck Advisory: NetPCLinker 1.0.0.0 - Buffer Overflow |
| neutrinolabs--xrdp | xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems. | 2026-01-27 | 9.1 | CVE-2025-68670 | https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5 |
| Nidesoft Studio--Nidesoft DVD Ripper | Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the License Code field to trigger a stack-based buffer overflow and execute shellcode. | 2026-01-30 | 8.4 | CVE-2020-37024 | ExploitDB-48687 Nidesoft DVD Ripper Software Download Page VulnCheck Advisory: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow |
| Nidesoft--Nidesoft 3GP Video Converter | Nidesoft 3GP Video Converter 2.6.18 contains a local stack buffer overflow vulnerability in the license registration parameter. Attackers can craft a malicious payload and paste it into the 'License Code' field to execute arbitrary code on the system. | 2026-01-28 | 8.4 | CVE-2020-36971 | ExploitDB-49034 Archived Software Repository VulnCheck Advisory: Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow |
| nmedia--Frontend File Manager Plugin | The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only. | 2026-01-28 | 7.5 | CVE-2026-1280 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98 https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98 |
| nmedia--Simple User Registration | The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. | 2026-01-28 | 8.8 | CVE-2026-0844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401 https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305 |
| nordvpn--nordvpn | Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36992 | ExploitDB-48790 NordVPN Official Homepage VulnCheck Advisory: Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path |
| NVIDIA--GeForce | NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33217 | https://nvd.nist.gov/vuln/detail/CVE-2025-33217 https://www.cve.org/CVERecord?id=CVE-2025-33217 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--GeForce | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33218 | https://nvd.nist.gov/vuln/detail/CVE-2025-33218 https://www.cve.org/CVERecord?id=CVE-2025-33218 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33219 | https://nvd.nist.gov/vuln/detail/CVE-2025-33219 https://www.cve.org/CVERecord?id=CVE-2025-33219 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--GeForce | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33220 | https://nvd.nist.gov/vuln/detail/CVE-2025-33220 https://www.cve.org/CVERecord?id=CVE-2025-33220 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA--NVIDIA runx | NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 2026-01-27 | 7.8 | CVE-2025-33234 | https://nvd.nist.gov/vuln/detail/CVE-2025-33234 https://www.cve.org/CVERecord?id=CVE-2025-33234 https://nvidia.custhelp.com/app/answers/detail/a_id/5764 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability. | 2026-01-27 | 10 | CVE-2026-23830 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6 https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB. | 2026-01-27 | 7.5 | CVE-2026-22258 | https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74 https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830 https://redmine.openinfosecfoundation.org/issues/8182 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default). | 2026-01-27 | 7.5 | CVE-2026-22259 | https://github.com/OISF/suricata/security/advisories/GHSA-878h-2x6v-84q9 https://github.com/OISF/suricata/commit/50cac2e2465ca211eabfa156623e585e9037bb7e https://github.com/OISF/suricata/commit/63225d5f8ef64cc65164c0bb1800730842d54942 https://redmine.openinfosecfoundation.org/issues/8181 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`. | 2026-01-27 | 7.5 | CVE-2026-22260 | https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22 https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185 https://redmine.openinfosecfoundation.org/issues/8185 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet. | 2026-01-27 | 7.4 | CVE-2026-22264 | https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5 https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715 https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2 https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b https://redmine.openinfosecfoundation.org/issues/8190 |
| OpenClaw--OpenClaw | OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. | 2026-02-01 | 8.8 | CVE-2026-25253 | https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq https://openclaw.ai/blog |
| openemr--openemr | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user's record; the server accepts the modified IDs and applies the changes to that other user's profile. This allows one user to alter another user's profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. | 2026-01-27 | 8.8 | CVE-2025-67645 | https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a |
| opf--openproject | OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled. | 2026-01-28 | 8.9 | CVE-2026-24772 | https://github.com/opf/openproject/security/advisories/GHSA-r854-p5qj-x974 |
| Pablosoftwaresolutions--Quick 'n Easy FTP Service | Quick 'n Easy FTP Service 3.2 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code during service startup. Attackers can exploit the misconfigured service binary path to inject malicious executables with elevated LocalSystem privileges during system boot or service restart. | 2026-01-27 | 7.8 | CVE-2020-36983 | ExploitDB-48983 Vendor Homepage Software Download Page VulnCheck Advisory: Quick 'n Easy FTP Service 3.2 - Unquoted Service Path |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue. | 2026-01-26 | 9.8 | CVE-2026-22709 | https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8 https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29 https://github.com/patriksimek/vm2/releases/tag/v3.10.2 |
| Pdf-Complete--PDF Complete | PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-26 | 7.8 | CVE-2020-36957 | ExploitDB-49226 PDF Complete Vendor Homepage VulnCheck Advisory: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path |
| PHPSUGAR--PHP Melody | PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. Attackers can exploit the unvalidated 'vid' parameter to execute arbitrary database queries and potentially compromise the web application and database management system. | 2026-02-01 | 8.1 | CVE-2021-47915 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 SQL Injection Vulnerability via Edit Video Parameter |
| PMB Services--PMB Services | PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted requests to the getgif.php endpoint. | 2026-01-28 | 8.4 | CVE-2020-36970 | ExploitDB-49054 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 5.6 - 'chemin' Local File Disclosure |
| polarnl--PolarLearn | PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body's `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `"x"`) as `direction`. Downstream (`VoteServer`) treats any non-`"up"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability. | 2026-01-29 | 7.1 | CVE-2026-25126 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41 |
| Preyproject--Prey | Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot. | 2026-01-28 | 7.8 | CVE-2020-36986 | ExploitDB-48967 Vendor Homepage VulnCheck Advisory: Prey 1.9.6 - "CronService" Unquoted Service Path |
| ProjectSkyfire--SkyFire_548 | improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548. This issue affects SkyFire_548: before 5.4.8-stable5. | 2026-01-27 | 9.8 | CVE-2026-24872 | https://github.com/cadaver/turso3d/pull/11 |
| pytorch--pytorch | PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue. | 2026-01-27 | 8.8 | CVE-2026-24747 | https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p https://github.com/pytorch/pytorch/issues/163105 https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139 https://github.com/pytorch/pytorch/releases/tag/v2.10.0 |
| Raimersoft--TapinRadio | TapinRadio 2.13.7 contains a denial of service vulnerability in the application proxy settings that allows attackers to crash the program by overflowing input fields. Attackers can paste a large buffer of 20,000 characters into the username and address fields to cause the application to become unresponsive and require reinstallation. | 2026-01-27 | 7.5 | CVE-2020-36949 | ExploitDB-49206 Vendor Homepage VulnCheck Advisory: TapinRadio 2.13.7 - Denial of Service |
| Ralim--IronOS | Integer Overflow or Wraparound vulnerability in Ralim IronOS. This issue affects IronOS: before v2.23-rc2. | 2026-01-27 | 9.8 | CVE-2026-24830 | https://github.com/Ralim/IronOS/pull/2083 |
| Realtek--Realtek Andrea RT Filters | Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files\IDT\WDM\AESTSr64.exe' to inject malicious code that would execute during service startup or system reboot. | 2026-01-27 | 7.8 | CVE-2020-36974 | ExploitDB-49158 Realtek Official Homepage VulnCheck Advisory: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path |
| Red Hat--OpenShift Serverless | A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. | 2026-01-30 | 7.5 | CVE-2024-4027 | https://access.redhat.com/security/cve/CVE-2024-4027 RHBZ#2276410 |
| Red Hat--osim | The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters. | 2026-01-29 | 7.5 | CVE-2026-1616 | https://github.com/RedHatProductSecurity/osim/pull/615 |
| Red Hat--RHEL-9-CNV-4.19 | A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. | 2026-01-26 | 8.5 | CVE-2025-14459 | RHSA-2026:0950 https://access.redhat.com/security/cve/CVE-2025-14459 RHBZ#2420938 |
| Rinnegatamante--lpp-vita | Out-of-bounds Read vulnerability in Rinnegatamante lpp-vita. This issue affects lpp-vita: before lpp-vita r6. | 2026-01-27 | 7.8 | CVE-2026-24873 | https://github.com/Rinnegatamante/lpp-vita/pull/82 |
| Ruijienetworks--Ruijie Networks Switch eWeb S29_RGOS | Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. Attackers can exploit the /download.do endpoint with '../' sequences to retrieve system configuration files containing credentials and network settings. | 2026-01-29 | 7.5 | CVE-2020-37015 | ExploitDB-48755 Ruijie Networks Official Homepage Directory Traversal Vulnerability Source VulnCheck Advisory: Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal |
| runtipi--runtipi | Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability. | 2026-01-29 | 7.6 | CVE-2026-25116 | https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6 https://github.com/runtipi/runtipi/releases/tag/v4.7.2 |
| saadiqbal--New User Approve | The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users. | 2026-01-28 | 7.3 | CVE-2026-0832 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60 https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425140%40new-user-approve&new=3425140%40new-user-approve&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442291%40new-user-approve&new=3442291%40new-user-approve&sfp_email=&sfph_mail= |
| Salt Project--Salt | Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. | 2026-01-30 | 7.8 | CVE-2025-62348 | Salt 3006.17 release notes (fix for CVE-2025-62348) |
| Sangfor--Operation and Maintenance Security Management System | A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-01-26 | 7.3 | CVE-2026-1412 | VDB-342801 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_clip_img command injection VDB-342801 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736513 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injectiona https://github.com/LX-LX88/cve/issues/22 |
| Scille--parsec-cloud | Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue. | 2026-01-29 | 8.3 | CVE-2025-62514 | https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9 https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2 https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138 https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146 https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366 |
| script3--soroban-fixed-point-math | soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available. | 2026-01-27 | 7.5 | CVE-2026-24783 | https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65 https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1 https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1 |
| sebastianbergmann--phpunit | PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control. | 2026-01-27 | 7.8 | CVE-2026-24765 | https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63 https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50 https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8 https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52 https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33 |
| Segurazo--SAntivirus IC | SAntivirus IC 10.0.21.61 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted executable path to inject malicious files in the service binary path, enabling privilege escalation to system-level permissions. | 2026-01-27 | 7.8 | CVE-2020-36980 | ExploitDB-49042 Vendor Homepage VulnCheck Advisory: SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path |
| SEIKO EPSON Corp--Status Monitor 3 | EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in 'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE' to inject malicious executables and escalate privileges. | 2026-01-27 | 7.8 | CVE-2020-36975 | ExploitDB-49141 Official EPSON Corporate Homepage VulnCheck Advisory: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path |
| shahrukhlinkgraph--Search Atlas SEO Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account. | 2026-01-28 | 8.8 | CVE-2025-14386 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f63d2c4-cbae-4177-8494-daca96449ecc?source=cve https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1042 https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L851 https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1141 |
| Sharemouse--ShareMouse | ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup. | 2026-01-28 | 7.8 | CVE-2020-36991 | ExploitDB-48794 ShareMouse Official Vendor Homepage VulnCheck Advisory: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path |
| Simplephpscripts--Simple CMS | Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. | 2026-02-01 | 8.1 | CVE-2021-47918 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 SQL Injection Vulnerability via Users Module |
| smartdatasoft--SmartBlog | SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the 'id_post' parameter of the details controller that allows attackers to extract database information. Attackers can systematically test and retrieve database contents by injecting crafted SQL queries that compare character-by-character of database information. | 2026-01-28 | 8.2 | CVE-2020-36972 | ExploitDB-48995 SmartBlog GitHub Repository VulnCheck Advisory: SmartBlog 2.0.1 - 'id_post' Blind SQL injection |
| SOCUSOFT--Photo to Video Converter Professional | Socusoft Photo to Video Converter Professional 8.07 contains a local buffer overflow vulnerability in the 'Output Folder' input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the output folder field to trigger a stack-based buffer overflow and potentially execute shellcode. | 2026-01-30 | 8.4 | CVE-2020-37028 | ExploitDB-48691 Archived Vendor Homepage VulnCheck Advisory: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | 2026-01-28 | 9.8 | CVE-2025-40551 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | 2026-01-28 | 9.8 | CVE-2025-40552 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | 2026-01-28 | 9.8 | CVE-2025-40553 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. | 2026-01-28 | 9.8 | CVE-2025-40554 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40554 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. | 2026-01-28 | 8.1 | CVE-2025-40536 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | 2026-01-28 | 7.5 | CVE-2025-40537 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40537 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| Sonarqube--SonarQube | SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. Attackers can replace the wrapper.exe in the service path with a malicious executable to execute code with highest system privileges during service restart. | 2026-01-29 | 7.8 | CVE-2020-37020 | ExploitDB-48677 SonarQube Official Homepage VulnCheck Advisory: SonarQube 8.3.1 - Unquoted Service Path |
| Squidex--squidex | Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available. | 2026-01-27 | 9.1 | CVE-2026-24736 | https://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2w |
| sunnygkp10--Online-Exam-System | Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters. | 2026-01-30 | 8.2 | CVE-2020-37051 | ExploitDB-48560 Software Repository VulnCheck Advisory: Online-Exam-System 2015 - 'feedback' SQL Injection |
| sunnygkp10--Online-Exam-System | Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. | 2026-01-30 | 8.2 | CVE-2020-37057 | ExploitDB-48529 Software Repository VulnCheck Advisory: Online-Exam-System 2015 - 'fid' SQL Injection |
| Techraft--Digital Multivendor Marketplace Online Store | Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system. | 2026-02-01 | 8.1 | CVE-2021-47909 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Mult-E-Cart Ultimate 2.4 SQL Injection via Vulnerable ID Parameters |
| telnet-lite--Mocha Telnet Lite for iOS | Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the user configuration input. Attackers can overwrite the 'User' field with 350 bytes of repeated characters to trigger an application crash and prevent normal functionality. | 2026-01-29 | 7.5 | CVE-2020-36995 | ExploitDB-48728 Official App Store Page for Mocha Telnet Lite VulnCheck Advisory: Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service |
| Tenda--AC21 | A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-01-29 | 8.8 | CVE-2026-1637 | VDB-343416 | Tenda AC21 AdvSetMacMtuWan fromAdvSetMacMtuWan stack-based overflow VDB-343416 | CTI Indicators (IOB, IOC, IOA) Submit #740865 | Tenda AC21 V16.03.08.16 Buffer Overflow https://github.com/LX-LX88/cve/issues/25 https://www.tenda.com.cn/ |
| Tenda--AC23 | A flaw has been found in Tenda AC23 16.03.07.52. This impacts an unknown function of the file /goform/WifiExtraSet. This manipulation of the argument wpapsk_crypto causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-26 | 8.8 | CVE-2026-1420 | VDB-342836 | Tenda AC23 WifiExtraSet buffer overflow VDB-342836 | CTI Indicators (IOB, IOC, IOA) Submit #736559 | Tenda AC23 V16.03.07.52 Buffer Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md#poc https://www.tenda.com.cn/ |
| Tenda--AX12 Pro V2 | A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. | 2026-01-29 | 8.1 | CVE-2026-1610 | VDB-343378 | Tenda AX12 Pro V2 Telnet Service hard-coded credentials VDB-343378 | CTI Indicators (IOB, IOC, TTP) Submit #740766 | Tenda AX12 pro V2 V16.03.49.24_cn Hard-coded Credentials https://github.com/QIU-DIE/CVE/issues/49 https://www.tenda.com.cn/ |
| Tenda--HG10 | A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-30 | 7.3 | CVE-2026-1687 | VDB-343481 | Tenda HG10 Boa Webserver formSamba command injection VDB-343481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741281 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md#poc https://www.tenda.com.cn/ |
| Tenda--HG10 | A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be launched remotely. The exploit is now public and may be used. | 2026-01-30 | 7.3 | CVE-2026-1689 | VDB-343483 | Tenda HG10 Login formLogin checkUserFromLanOrWan command injection VDB-343483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741411 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md#poc https://www.tenda.com.cn/ |
| Tendenci--Tendenci | Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications. | 2026-01-28 | 9.8 | CVE-2020-36962 | ExploitDB-49145 Official Vendor Homepage Tendenci GitHub Repository VulnCheck Advisory: Tendenci 12.3.1 - CSV/ Formula Injection |
| Testa--Testa Online Test Management System | Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive user or system data. | 2026-01-27 | 8.2 | CVE-2021-47902 | ExploitDB-49194 Archived Vendor Homepage VulnCheck Advisory: Testa Online Test Management System 3.4.7 - 'q' SQL Injection |
| themrdemonized--xray-monolith | Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith. This issue affects xray-monolith: before 2025.12.30. | 2026-01-27 | 9.1 | CVE-2026-24874 | https://github.com/themrdemonized/xray-monolith/pull/399 |
| tigroumeow--AI Engine The Chatbot and AI Framework for WordPress | The AI Engine - The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory. | 2026-01-28 | 7.2 | CVE-2026-1400 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1104 https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1141 https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.php |
| Tildeslash Ltd.--M/Monit | M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account. | 2026-01-28 | 8.8 | CVE-2020-36969 | ExploitDB-49080 M/Monit Official Vendor Homepage VulnCheck Advisory: M/Monit 3.7.4 - Privilege Escalation |
| TimeClock Software--TimeClock Software | TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time differences. | 2026-01-29 | 7.1 | CVE-2020-37005 | ExploitDB-48874 Archived Product Homepage VulnCheck Advisory: TimeClock Software 1.01 Authenticated Time-Based SQL Injection |
| Totolink--A3600R | A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-30 | 8.8 | CVE-2026-1686 | VDB-343480 | Totolink A3600R app.so setAppEasyWizardConfig buffer overflow VDB-343480 | CTI Indicators (IOB, IOC, IOA) Submit #740888 | TOTOLINK A3600R V5.9c.4959 Buffer Overflow https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md#poc https://www.totolink.net/ |
| TrustTunnel--TrustTunnel | TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114. | 2026-01-29 | 7.1 | CVE-2026-24902 | https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76 https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0 |
| TryGhost--Ghost | Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version. | 2026-01-27 | 8.8 | CVE-2026-24778 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849 |
| Tucows Inc.--Audio Playback Recorder | Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. Attackers can craft malicious payloads and overwrite Structured Exception Handler (SEH) to execute shellcode when pasting specially crafted input into the application's input fields. | 2026-01-29 | 8.4 | CVE-2020-37013 | ExploitDB-48796 Archived Researcher Proof of Concept Video Product Software Archive VulnCheck Advisory: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH) |
| Tucows--Easy CD & DVD Cover Creator | Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to trigger an application crash. | 2026-01-27 | 9.8 | CVE-2020-36940 | ExploitDB-49337 VulnCheck Advisory: Easy CD & DVD Cover Creator 4.13 - Denial of Service |
| Ubiquiti, Inc.--AirControl | AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges. | 2026-01-30 | 9.8 | CVE-2020-37052 | ExploitDB-48541 Vendor Homepage VulnCheck Advisory: AirControl 1.4.2 - PreAuth Remote Code Execution |
| Veritas--NetBackup | Veritas NetBackup 7.0 contains an unquoted service path vulnerability in the NetBackup INET Daemon service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe to inject malicious code that would execute with elevated LocalSystem privileges. | 2026-02-01 | 7.8 | CVE-2020-37045 | ExploitDB-48227 Veritas Official Homepage VulnCheck Advisory: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path |
| VeryPDF.com, Inc.--docPrint Pro | docPrint Pro 8.0 contains a local buffer overflow vulnerability in the 'Add URL' input field that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload that triggers a structured exception handler (SEH) overwrite to execute shellcode and gain remote system access. | 2026-01-28 | 8.4 | CVE-2020-36965 | ExploitDB-49100 Vendor Homepage VulnCheck Advisory: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter) |
| VestaCP--VestaCP | VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions. | 2026-01-27 | 9.8 | CVE-2020-36948 | ExploitDB-49219 VestaCP Official Homepage Vulnerability Lab Advisory Benjamin Kunz Mejri Profile VulnCheck Advisory: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation |
| VictorAlagwu--CMSsite | Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the uploaded file via web browser. | 2026-01-27 | 8.8 | CVE-2020-36942 | ExploitDB-49310 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 - File Upload To RCE |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue. | 2026-01-27 | 7.1 | CVE-2026-24779 | https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc https://github.com/vllm-project/vllm/pull/32746 https://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7 |
| WEBDAMN.COM--WebDamn User Registration & Login System with User Panel | WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel. | 2026-01-28 | 8.2 | CVE-2020-36945 | ExploitDB-49170 Vendor Homepage Software Product Page VulnCheck Advisory: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass |
| Weird Solutions--DHCP Turbo | DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts. | 2026-02-01 | 7.8 | CVE-2020-37062 | ExploitDB-48080 Vendor Homepage VulnCheck Advisory: DHCP Turbo 4.6.1298- 'DHCP Turbo 4' Unquoted Service Path |
| Weird-Solutions--BOOTP Turbo | BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions. | 2026-02-01 | 7.8 | CVE-2020-37061 | ExploitDB-48078 Vendor Homepage VulnCheck Advisory: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path |
| Weird-Solutions--TFTP Turbo | TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-01 | 7.8 | CVE-2020-37063 | ExploitDB-48085 Vendor Homepage VulnCheck Advisory: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path |
| WellChoose--Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2026-01-26 | 8.8 | CVE-2026-1427 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| WellChoose--Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2026-01-26 | 8.8 | CVE-2026-1428 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| Wibu--CodeMeter | CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CodeMeter Runtime Server service to inject malicious code that would execute with LocalSystem permissions. | 2026-01-29 | 7.8 | CVE-2020-37017 | ExploitDB-48735 CodeMeter Runtime Product Homepage VulnCheck Advisory: CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path |
| WinAVR--WinAVR | WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory. | 2026-01-27 | 8.8 | CVE-2020-36938 | ExploitDB-49379 WinAVR Official Project Homepage VulnCheck Advisory: WinAVR Version 20100110 - Insecure Folder Permissions |
| WinFrigate--Frigate 2 | Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. Attackers can generate a payload of 8000 repeated characters and paste it into the application's command line field to trigger an application crash. | 2026-01-30 | 7.5 | CVE-2020-37039 | ExploitDB-48613 Archived Vendor Homepage VulnCheck Advisory: Frigate 2.02 - Denial Of Service |
| WinFrigate--Frigate 3 Professional | Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the 'Find Computer' feature that allows attackers to execute arbitrary code by overflowing the computer name input field. Attackers can craft a malicious payload that triggers a buffer overflow, enabling code execution and launching calculator as a proof of concept. | 2026-01-30 | 8.4 | CVE-2020-37042 | ExploitDB-48579 Archived Vendor Homepage VulnCheck Advisory: Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow |
| WinFrigate--Frigate 3 Professional | Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload to overflow the buffer, bypass DEP, and execute commands like launching calc.exe through a specially crafted input sequence. | 2026-01-30 | 8.4 | CVE-2020-37049 | ExploitDB-48563 Archived Vendor Homepage VulnCheck Advisory: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow |
| Wing FTP Server--Wing FTP Server | Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function. | 2026-01-30 | 8.8 | CVE-2020-37032 | ExploitDB-48676 Wing FTP Server Official Homepage VulnCheck Advisory: Wing FTP Server 6.3.8 - Remote Code Execution |
| Wondershare--Wondershare Driver Install Service help | Wondershare Driver Install Service contains an unquoted service path vulnerability in the ElevationService executable that allows local attackers to potentially inject malicious code. Attackers can exploit the unquoted path to replace the service binary with a malicious executable, enabling privilege escalation to LocalSystem account. | 2026-01-27 | 7.8 | CVE-2020-36977 | ExploitDB-49101 Vendor Homepage Software Product Page VulnCheck Advisory: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path |
| wpcreatix--VidShop Shoppable Videos for WooCommerce | The VidShop - Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-28 | 7.5 | CVE-2026-0702 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a61d8d2a-742f-45f1-9146-f733b80ef195?source=cve https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L224 https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L297 https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/utils/class-query-builder.php#L778 https://plugins.trac.wordpress.org/changeset/3441106/ |
| yoyofr--modizer | Integer Overflow or Wraparound vulnerability in yoyofr modizer. This issue affects modizer: before 4.1.1. | 2026-01-27 | 7.8 | CVE-2026-24875 | https://github.com/yoyofr/modizer/pull/133 |
| zalando--skipper | Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions. | 2026-01-26 | 8.1 | CVE-2026-24470 | https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9 https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219 https://kubernetes.io/docs/concepts/services-networking/service/#externalname |
| Zortam.com--Zortam Mp3 Media Studio | Zortam Mp3 Media Studio 27.60 contains a buffer overflow vulnerability in the library creation file selection process that allows remote code execution. Attackers can craft a malicious text file with shellcode to trigger a structured exception handler (SEH) overwrite and execute arbitrary commands on the target system. | 2026-01-28 | 9.8 | CVE-2020-36967 | ExploitDB-49084 Zortam Official Homepage Zortam Software Download Page VulnCheck Advisory: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH) |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 2100 Technology--Official Document Management System | Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents. | 2026-01-28 | 6.5 | CVE-2026-1514 | https://www.twcert.org.tw/tw/cp-132-10658-c5a07-1.html https://www.twcert.org.tw/en/cp-139-10659-264cd-2.html |
| Adikiss--Sistem Informasi Pengumuman Kelulusan Online | Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent. | 2026-01-30 | 5.3 | CVE-2020-37046 | ExploitDB-48571 Vendor Homepage Software Download Page VulnCheck Advisory: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery |
| ajay138--Knap Advanced PHP Login | Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. Attackers can exploit the vulnerability to execute arbitrary scripts in users and activity log backend modules, potentially leading to session hijacking and persistent phishing attacks. | 2026-02-01 | 6.4 | CVE-2022-50940 | Vulnerability Lab Advisory Laravel & Vue.js VulnCheck Advisory: Knap Advanced PHP Login 3.1.3 Persistent Cross-Site Scripting via Name Parameter |
| Akn Software Computer Import Export Industry and Trade Ltd.--QR Menu | Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12. | 2026-01-29 | 5.7 | CVE-2025-7015 | https://www.usom.gov.tr/bildirim/tr-26-0006 |
| Author: Scott Ferreira--Free Photo & Video Vault - WiFi Transfer | Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. Attackers can exploit the vulnerability without privileges to retrieve environment variables and access unauthorized system paths. | 2026-02-01 | 6.5 | CVE-2021-47921 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Free Photo & Video Vault 0.0.2 Directory Traversal Vulnerability via Web Request |
| ays-pro--Popup Box Create Countdown, Coupon, Video, Contact Form Popups | The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | 2026-01-31 | 4.3 | CVE-2026-1165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22 https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3439514@ays-popup-box/tags/6.1.1/&new=3444612@ays-popup-box/tags/6.1.2/ |
| B&R Industrial Automation GmbH--Process Visualization Interface (PVI) | An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user. | 2026-01-29 | 5 | CVE-2026-0936 | https://www.br-automation.com/fileadmin/SA26P001-2862434c.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation. This vulnerability is fixed in` @backstage/plugin-techdocs-node` versions 1.13.11 and 1.14.1. Some workarounds are available. Switch to `runIn: docker` in `app-config.yaml` and/or restrict write access to TechDocs source repositories to trusted users only. | 2026-01-30 | 5.3 | CVE-2026-25152 | https://github.com/backstage/backstage/security/advisories/GHSA-w669-jj7h-88m9 |
| Banco de Guayaquil--Banco Guayaquil | Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction. | 2026-02-01 | 6.4 | CVE-2022-50952 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Banco Guayaquil 8.0.0 Mobile iOS Cross-Site Scripting via Profile Name Input |
| Bdtask--Bhojon All-In-One Restaurant Management System | A vulnerability was determined in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The affected element is an unknown function of the file /hungry/placeorder of the component Checkout. Executing a manipulation of the argument orggrandTotal/vat/service_charge/grandtotal can lead to business logic errors. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 4.3 | CVE-2026-1599 | VDB-343361 | Bdtask Bhojon All-In-One Restaurant Management System Checkout placeorder logic error VDB-343361 | CTI Indicators (IOB, IOC, IOA) Submit #740740 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors https://github.com/4m3rr0r/PoCVulDb/issues/13 https://www.youtube.com/watch?v=n7xLBAOrKAU |
| Bdtask--Bhojon All-In-One Restaurant Management System | A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 4.3 | CVE-2026-1600 | VDB-343362 | Bdtask Bhojon All-In-One Restaurant Management System Add-to-Cart Submission Endpoint addtocart logic error VDB-343362 | CTI Indicators (IOB, IOC, IOA) Submit #740741 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors https://github.com/4m3rr0r/PoCVulDb/issues/14 https://www.youtube.com/watch?v=UESZTjVS4Fs |
| Bdtask--SalesERP | A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 6.3 | CVE-2026-1597 | VDB-343359 | Bdtask SalesERP Administrative Endpoint improper authorization VDB-343359 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740735 | Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation https://github.com/4m3rr0r/PoCVulDb/issues/11 https://www.youtube.com/watch?v=KSducixS3pk |
| Beckhoff Automation--Beckhoff.Device.Manager.XAR | A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. | 2026-01-27 | 5.3 | CVE-2025-41728 | https://certvde.com/de/advisories/VDE-2025-092 |
| Beetel--777VR1 | A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 6.4 | CVE-2026-1410 | VDB-342799 | Beetel 777VR1 UART missing authentication VDB-342799 | CTI Indicators (IOB, IOC) Submit #739433 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-306” Missing Authentication for Critical Function https://gist.github.com/raghav20232023/96a6b13ab00c493d21362e744627ea9f |
| Beetel--777VR1 | A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 6.1 | CVE-2026-1411 | VDB-342800 | Beetel 777VR1 UART access control VDB-342800 | CTI Indicators (IOB, IOC, TTP) Submit #740674 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-284” Improper Access Control https://gist.github.com/raghav20232023/ea6adcd6d1eca35683570a1094164bd3 |
| bfintal--Interactions Create Interactive Experiences in the Block Editor | The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-12709 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab97f125-3a4a-4293-b218-07586c1c021c?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448073%40interactions&new=3448073%40interactions |
| birkir--prime | birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query parameters. | 2026-01-29 | 5.3 | CVE-2025-15550 | GitHub Issue #547 VulnCheck Advisory: birkir prime <= 0.4.0.beta.0 - Cross-Site Request Forgery in GraphQL |
| bobthecow--psysh | PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user's context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user's permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim's privileges. Versions 0.11.23 and 0.12.19 patch the issue. | 2026-01-30 | 6.7 | CVE-2026-25129 | https://github.com/bobthecow/psysh/security/advisories/GHSA-4486-gxhx-5mg7 https://github.com/bobthecow/psysh/releases/tag/v0.11.23 https://github.com/bobthecow/psysh/releases/tag/v0.12.19 |
| bolo-solo--bolo-solo | A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-01-30 | 6.3 | CVE-2026-1691 | VDB-343485 | bolo-solo SnakeYAML BackupService.java importMarkdownsSync deserialization VDB-343485 | CTI Indicators (IOB, IOC, IOA) Submit #741899 | bolo-solo V2.6.4 SnakeYAML deserialization vulnerability https://github.com/bolo-blog/bolo-solo/issues/325 https://github.com/bolo-blog/bolo-solo/issues/325#issue-3828755519 |
| bplugins--Document Embedder Embed PDFs, Word, Excel, and Other Files | The Document Embedder - Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter. | 2026-01-28 | 5.3 | CVE-2026-1389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php |
| Broadcom--Symantec Endpoint Protection Windows Client | Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 2026-01-28 | 6.7 | CVE-2025-13918 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774 |
| Broadcom--Symantec Endpoint Protection Windows Client | Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. | 2026-01-28 | 4.4 | CVE-2025-13919 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774 |
| Brother Industries, Ltd.--Multiple MFPs | Hidden functionality issue exists in multiple MFPs provided by Brother Industries, Ltd., which may allow an attacker to obtain the logs of the affected product and obtain sensitive information within the logs. | 2026-01-29 | 5.3 | CVE-2025-55704 | https://faq.brother.co.jp/app/answers/detail/a_id/13716 https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf https://jvn.jp/en/vu/JVNVU92878805/ |
| Bun--Bun | In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github). | 2026-01-27 | 5.9 | CVE-2026-24910 | https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack https://bun.com/blog/bun-v1.3.5 https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act |
| chainguard-dev--malcontent | malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses google/go-containerregistry for OCI image pulls, which by default uses the Docker credential keychain. A malicious registry could return a `WWW-Authenticate` header redirecting token authentication to an attacker-controlled endpoint, causing credentials to be sent to that endpoint. Version 1.20.3 fixes the issue by defaulting to anonymous auth for OCI pulls. | 2026-01-29 | 6.5 | CVE-2026-24845 | https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-9m43-p3cx-w8j5 https://github.com/chainguard-dev/malcontent/commit/538ed00cdc639d687a4bd1e843a2be0428a3b3e7 |
| chainguard-dev--malcontent | malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory. | 2026-01-29 | 5.5 | CVE-2026-24846 | https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96 https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017 |
| chrisnowak--Change WP URL | The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1398 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18 https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18 https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85 https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85 |
| code-projects--Online Examination System | A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-01-26 | 6.3 | CVE-2026-1423 | VDB-342839 | code-projects Online Examination System admin_pic.php unrestricted upload VDB-342839 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736607 | code-projects Online Examination System 1 Unrestricted Upload https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-3-remote-code-execution-via-unsafe-file-upload https://code-projects.org/ |
| code-projects--Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminAddCategory.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-01-28 | 4.7 | CVE-2026-1533 | VDB-343219 | code-projects Online Music Site AdminAddCategory.php sql injection VDB-343219 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738704 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/2 https://code-projects.org/ |
| codeccoop--Forms Bridge Infinite integrations | The Forms Bridge - Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2026-1244 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e047822-5766-4e7f-be89-f4a15f0e6d51?source=cve https://plugins.trac.wordpress.org/browser/forms-bridge/trunk/addons/financoop/shortcodes.php#L389 https://plugins.trac.wordpress.org/browser/forms-bridge/tags/4.2.3/addons/financoop/shortcodes.php#L389 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3446693%40forms-bridge&new=3446693%40forms-bridge&sfp_email=&sfph_mail=#file1 |
| codepeople--Appointment Hour Booking Booking Calendar | The Appointment Hour Booking - Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max length/characters' field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1083 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5cb1fea-134f-4c81-8f2f-76ee42df7f77?source=cve https://plugins.trac.wordpress.org/browser/appointment-hour-booking/trunk/js/fields-admin/01_fbuilder.ftext.js#L64 https://plugins.trac.wordpress.org/browser/appointment-hour-booking/tags/1.5.57/js/fields-admin/01_fbuilder.ftext.js#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442650%40appointment-hour-booking&new=3442650%40appointment-hour-booking&sfp_email=&sfph_mail= |
| CriticalGears--PayPal PRO Payment Terminal | Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or phishing attacks. | 2026-02-01 | 6.4 | CVE-2021-47885 | Vulnerability Lab Advisory Product Homepage Product Homepage Product Homepage VulnCheck Advisory: Payment Terminal Multiple Versions Non-Persistent Cross-Site Scripting |
| crmperks--Database for Contact Form 7, WPforms, Elementor forms | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions. | 2026-01-28 | 5.3 | CVE-2026-0825 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4048ae11-fece-42aa-baf3-c636c4875635?source=cve https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L76 https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.5/contact-form-entries.php#L76 https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L301 https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/templates/leads-table.php#L10 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442962%40contact-form-entries&new=3442962%40contact-form-entries&sfp_email=&sfph_mail= |
| D-Link--DCS700l | A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-26 | 4.7 | CVE-2026-1419 | VDB-342815 | D-Link DCS700l Web Form setDayNightMode command injection VDB-342815 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736554 | D-Link DCS700l v1.03.09 Command Injection https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Command-Injection-Vulnerability-in-LightSensorControl-Parameter-2e6b5c52018a80ada0f6d7e72efd7a45?source=copy_link https://www.dlink.com/ |
| D-Link--DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. Impacted is the function sub_41E2A0 of the file /goform/set_mode. Performing a manipulation of the argument lan_gateway results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 6.3 | CVE-2026-1544 | VDB-343228 | D-Link DIR-823X set_mode sub_41E2A0 os command injection VDB-343228 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739155 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/16 https://www.dlink.com/ |
| D-Link--DWR-M961 | A flaw has been found in D-Link DWR-M961 1.1.47. This vulnerability affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-01-29 | 6.3 | CVE-2026-1596 | VDB-343358 | D-Link DWR-M961 formLtefotaUpgradeQuectel sub_419920 command injection VDB-343358 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740693 | D-Link DWR-M961 V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/48 https://www.dlink.com/ |
| D-Link--DWR-M961 | A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-29 | 6.3 | CVE-2026-1624 | VDB-343383 | D-Link DWR-M961 formLtefotaUpgradeFibocom command injection VDB-343383 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740770 | D-Link DWR-M961 V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/50 https://www.dlink.com/ |
| D-Link--DWR-M961 | A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-01-29 | 6.3 | CVE-2026-1625 | VDB-343384 | D-Link DWR-M961 SMS Message formSmsManage sub_4250E0 command injection VDB-343384 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740792 | D-Link DW V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/51 https://www.dlink.com/ |
| dcooney--Ajax Load More Infinite Scroll, Load More, & Lazy Load | The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts. | 2026-01-31 | 5.3 | CVE-2025-15525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d01f4e67-a463-4973-97b1-41a64398686a?source=cve https://plugins.trac.wordpress.org/browser/ajax-load-more/tags/7.8.1/core/classes/class-alm-queryargs.php#L500 |
| Dell--OpenManage Network Integration | Dell OpenManage Network Integration, versions prior to 3.9, contains an Improper Authentication vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-29 | 4.3 | CVE-2026-22764 | https://www.dell.com/support/kbdoc/en-us/000420893/dsa-2026-045-security-update-for-dell-openmanage-network-integration-omni-vulnerabilities |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature. | 2026-01-28 | 6.9 | CVE-2025-68933 | https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path. | 2026-01-28 | 6.5 | CVE-2025-68934 | https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched. | 2026-01-28 | 6.5 | CVE-2026-21865 | https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39 |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access. | 2026-01-28 | 6.5 | CVE-2026-24742 | https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6 |
| discourse--discourse | Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them. | 2026-01-28 | 4.6 | CVE-2025-66488 | https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx |
| discourse--discourse | Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX. | 2026-01-28 | 4.6 | CVE-2025-67723 | https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379 |
| discourse--discourse | Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 4.3 | CVE-2025-68659 | https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 6.8 | CVE-2026-24784 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue. | 2026-01-28 | 4.7 | CVE-2026-24839 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q https://github.com/Dokploy/dokploy/pull/3500 https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8 |
| Dolibarr--Dolibarr | Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information. | 2026-01-30 | 6.4 | CVE-2020-36966 | ExploitDB-48504 Official Dolibarr Product Homepage VulnCheck Advisory: Dolibarr 11.0.3 - 'ldap.php' - Persistent Cross-Site Scripting |
| Eclipse Foundation--Eclipse ThreadX - USBX | The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs. | 2026-01-27 | 4.2 | CVE-2025-55095 | https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-qfmp-wch9-rpv2 |
| Esri--ArcGIS Pro | There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute when a specific dialog is opened. This issue is fixed in ArcGIS Pro 3.6.1. | 2026-01-26 | 5 | CVE-2026-1446 | https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch |
| EVerest--everest-core | EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available. | 2026-01-26 | 4.3 | CVE-2026-24003 | https://github.com/EVerest/everest-core/security/advisories/GHSA-9vv5-67cv-9crq https://github.com/EVerest/everest-core/blob/main/modules/EVSE/EvseV2G/iso_server.cpp#L44 |
| Filigran--OpenCTI | OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | 2026-01-30 | 5.4 | CVE-2020-37044 | ExploitDB-48595 OpenCTI Official Homepage OpenCTI GitHub Repository VulnCheck Advisory: OpenCTI 3.3.1 - Cross Site Scripting |
| forma--E-Learning Suite | Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization. | 2026-01-30 | 6.4 | CVE-2020-36998 | ExploitDB-48478 Vendor Homepage Software Download Link VulnCheck Advisory: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting |
| Formalms--Forma LMS | Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users. | 2026-01-26 | 6.4 | CVE-2020-36960 | ExploitDB-49197 Official Product Website VulnCheck Advisory: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting |
| Free5GC--SMF | A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue. | 2026-01-30 | 5.3 | CVE-2026-1682 | VDB-343475 | Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference VDB-343475 | CTI Indicators (IOB, IOC, IOA) Submit #739508 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/794 https://github.com/free5gc/free5gc/issues/794#issuecomment-3761063382 https://github.com/free5gc/free5gc/issues/794#issue-3811888505 https://github.com/free5gc/smf/pull/188 |
| Free5GC--SMF | A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component PFCP. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. To fix this issue, it is recommended to deploy a patch. | 2026-01-30 | 5.3 | CVE-2026-1683 | VDB-343476 | Free5GC SMF PFCP handler.go HandlePfcpSessionReportRequest denial of service VDB-343476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739653 | free5gc SMF v4.1.0 Denial of Service Submit #739654 | free5gc SMF v4.1.0 Denial of Service (Duplicate) https://github.com/free5gc/free5gc/issues/804 https://github.com/free5gc/free5gc/issues/804#issue-3816086696 https://github.com/free5gc/smf/pull/188 |
| Free5GC--SMF | A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcp_reports.go of the component PFCP UDP Endpoint. The manipulation results in denial of service. The attack can be executed remotely. It is advisable to implement a patch to correct this issue. | 2026-01-30 | 5.3 | CVE-2026-1684 | VDB-343477 | Free5GC SMF PFCP UDP Endpoint pfcp_reports.go HandleReports denial of service VDB-343477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739655 | free5gc SMF v4.1.0 Denial of Service Submit #739656 | free5gc SMF v4.1.0 Denial of Service (Duplicate) https://github.com/free5gc/free5gc/issues/806 https://github.com/free5gc/smf/pull/188 |
| Froxlor--Froxlor Froxlor Server Management Panel | Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules. | 2026-01-27 | 6.4 | CVE-2020-36978 | ExploitDB-49063 Official Froxlor Homepage Froxlor Download Page Vulnerability Lab Advisory Vulnerability Lab Profile Researcher Profile VulnCheck Advisory: Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting |
| Getgrav--Grav CMS Admin Plugin | Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site. | 2026-01-26 | 6.4 | CVE-2020-36955 | ExploitDB-49264 Grav CMS Official Homepage VulnCheck Advisory: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting |
| gi-docgen--gi-docgen | A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page - enabling DOM access, session cookie theft and other client-side attacks - via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). | 2026-01-26 | 6.1 | CVE-2025-11687 | https://access.redhat.com/security/cve/CVE-2025-11687 RHBZ#2403536 https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228 |
| GitoxideLabs--gitoxide | A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences. | 2026-01-26 | 6.8 | CVE-2026-0810 | https://access.redhat.com/security/cve/CVE-2026-0810 RHBZ#2427057 https://crates.io/crates/gix-date https://github.com/GitoxideLabs/gitoxide/issues/2305 https://rustsec.org/advisories/RUSTSEC-2025-0140.html |
| Goautodial--GOautodial | GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks. | 2026-01-29 | 6.4 | CVE-2020-37018 | ExploitDB-48690 Official Vendor Homepage VulnCheck Advisory: GOautodial 4.0 - Persistent Cross-Site Scripting |
| GPAc--GPAC | A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue. | 2026-01-26 | 5.3 | CVE-2026-1418 | VDB-342807 | GPAC SRT Subtitle Import text_to_bifs.c gf_text_import_srt_bifs out-of-bounds write VDB-342807 | CTI Indicators (IOB, IOC, IOA) Submit #736544 | gpac v2.4.0 Out-of-bounds Write https://github.com/gpac/gpac/issues/3425 https://github.com/gpac/gpac/issues/3425#issue-3801961068 https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772 |
| GuidoNeele--PDW File Browser | PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser. | 2026-01-28 | 5.4 | CVE-2020-36988 | ExploitDB-48947 PDW File Browser GitHub Repository VulnCheck Advisory: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS) |
| halfdata--Stripe Green Downloads | Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and application module manipulation. | 2026-02-01 | 6.4 | CVE-2022-50797 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Stripe Green Downloads Wordpress Plugin 2.03 Persistent XSS via Settings |
| HappyHackingSpace--gakido | Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. | 2026-01-27 | 5.3 | CVE-2026-24489 | https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9 https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788 https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019 |
| HCLSoftware--BigFix Compliance | A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. | 2026-01-28 | 5.3 | CVE-2023-37525 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128385 |
| HIKSEMI--HS-AFS-S1H1 | Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization. | 2026-01-30 | 4.3 | CVE-2026-22624 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| HIKSEMI--HS-AFS-S1H1 | Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files. | 2026-01-30 | 4.6 | CVE-2026-22625 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| HIKSEMI--HS-AFS-S1H1 | Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages. | 2026-01-30 | 4.9 | CVE-2026-22626 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. | 2026-01-27 | 5.3 | CVE-2026-24472 | https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4 https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue. | 2026-01-27 | 4.8 | CVE-2026-24398 | https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue. | 2026-01-27 | 4.7 | CVE-2026-24771 | https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5 https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990 |
| hu_chao--imwptip | The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe987f0-6887-4ad1-a748-eb987bb574fa?source=cve https://plugins.trac.wordpress.org/browser/imwptip/trunk/classes/imwptipadmin.php#L11 https://plugins.trac.wordpress.org/browser/imwptip/tags/1.1/classes/imwptipadmin.php#L11 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query. | 2026-01-30 | 6.5 | CVE-2025-2668 | https://www.ibm.com/support/pages/node/7257518 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion. | 2026-01-30 | 6.5 | CVE-2025-36001 | https://www.ibm.com/support/pages/node/7257616 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an unauthenticated user to cause a denial of service due to excessive use of a global variable. | 2026-01-30 | 6.5 | CVE-2025-36009 | https://www.ibm.com/support/pages/node/7257623 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. | 2026-01-30 | 6.5 | CVE-2025-36070 | https://www.ibm.com/support/pages/node/7257624 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources. | 2026-01-30 | 6.5 | CVE-2025-36098 | https://www.ibm.com/support/pages/node/7257629 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources. | 2026-01-30 | 6.2 | CVE-2025-36123 | https://www.ibm.com/support/pages/node/7257627 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.2 | CVE-2025-36353 | https://www.ibm.com/support/pages/node/7257632 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. | 2026-01-30 | 6.8 | CVE-2025-36365 | https://www.ibm.com/support/pages/node/7257665 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36366 | https://www.ibm.com/support/pages/node/7257681 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query. | 2026-01-30 | 6.5 | CVE-2025-36387 | https://www.ibm.com/support/pages/node/7257690 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36407 | https://www.ibm.com/support/pages/node/7257692 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36423 | https://www.ibm.com/support/pages/node/7257694 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36424 | https://www.ibm.com/support/pages/node/7257695 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36427 | https://www.ibm.com/support/pages/node/7257696 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. | 2026-01-30 | 6.5 | CVE-2025-36442 | https://www.ibm.com/support/pages/node/7257698 |
| IBM--Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when the RPSCAN feature is enabled. | 2026-01-30 | 5.3 | CVE-2025-36428 | https://www.ibm.com/support/pages/node/7257697 |
| igniterealtime--Openfire | Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page. | 2026-01-26 | 6.4 | CVE-2020-36956 | ExploitDB-49229 Openfire GitHub Repository Openfire Software Downloads VulnCheck Advisory: Openfire 4.6.0 - 'path' Stored XSS |
| iJason-Liu--Books_Manager | A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2026-01-26 | 4.7 | CVE-2026-1445 | VDB-342874 | iJason-Liu Books_Manager upload_bookCover.php unrestricted upload VDB-342874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736971 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 File Upload https://blog.y1fan.work/2026/01/13/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0getshell/ |
| ilias.de--ILIAS Learning Management System | ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the portfolio is exported to PDF. | 2026-01-28 | 4 | CVE-2020-36944 | ExploitDB-49148 ILIAS Official Vendor Homepage ILIAS GitHub Repository VulnCheck Advisory: ILIAS Learning Management System 4.3 - SSRF |
| Inciga--Inciga Web | Inciga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks. | 2026-02-01 | 5.4 | CVE-2022-50942 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Inciga Web 2.8.2 Client-Side Cross-Site Scripting via EventListener |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory contents and causing application termination. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. | 2026-01-28 | 6.1 | CVE-2026-24852 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-q8g2-mp32-3j7f https://github.com/InternationalColorConsortium/iccDEV/pull/540 https://github.com/InternationalColorConsortium/iccDEV/commit/3092499cd4d0775f4a716b999899f9c26f9bc614 |
| Is-Daouda--is-Engine | Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. | 2026-01-27 | 6.5 | CVE-2026-24829 | https://github.com/Is-Daouda/is-Engine/pull/7 |
| itsourcecode--School Management System | A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 6.3 | CVE-2026-1551 | VDB-343247 | itsourcecode School Management System controller.php sql injection VDB-343247 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740644 | itsourcecode School Management System V1.0 SQL Injection Submit #740680 | itsourcecode School Management System v1.0 SQL Injection (Duplicate) https://mega.nz/file/6cVwiA5A#BVwaxWlfeQCkkpHnuxPiMDZVb5qcYrsI6ftqdm_8mGk https://itsourcecode.com/ |
| iulia-cazan--Easy Replace Image | The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation. | 2026-01-28 | 5.3 | CVE-2026-1298 | https://www.wordfence.com/threat-intel/vulnerabilities/id/27332c13-c25f-47ec-980d-035fc35ce553?source=cve https://plugins.trac.wordpress.org/browser/easy-replace-image/trunk/easy-replace-image.php#L961 https://plugins.trac.wordpress.org/browser/easy-replace-image/tags/3.5.2/easy-replace-image.php#L961 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447984%40easy-replace-image&new=3447984%40easy-replace-image&sfp_email=&sfph_mail= |
| jdwebdesigner--Affiliate Pro | Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. | 2026-02-01 | 5.4 | CVE-2021-47911 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Affiliate Pro 1.7 Reflected Cross-Site Scripting via Index Module |
| Jirafeau project--Jirafeau | Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff. | 2026-01-28 | 6.1 | CVE-2026-1466 | https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1 https://www.cve.org/CVERecord?id=CVE-2022-30110 https://www.cve.org/CVERecord?id=CVE-2024-12326 https://www.cve.org/CVERecord?id=CVE-2025-7066 |
| jishenghua--jshERP | A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-28 | 6.3 | CVE-2026-1546 | VDB-343230 | jishenghua jshERP com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam sql injection VDB-343230 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739688 | https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection https://github.com/jishenghua/jshERP/issues/145 https://github.com/jishenghua/jshERP/issues/145#issue-3816930151 https://github.com/jishenghua/jshERP/ |
| jishenghua--jshERP | A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-28 | 4.3 | CVE-2026-1549 | VDB-343245 | jishenghua jshERP PluginController uploadPluginConfigFile path traversal VDB-343245 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739805 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal https://github.com/jishenghua/jshERP/issues/146 https://github.com/jishenghua/jshERP/issues/146#issue-3817997461 https://github.com/jishenghua/jshERP/ |
| Laravel Holdings Inc.--Laravel Nova | Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server. | 2026-01-27 | 6.5 | CVE-2020-36950 | ExploitDB-49198 Laravel Nova Official Homepage Laravel Nova Releases Page VulnCheck Advisory: Laravel Nova 3.7.0 - 'range' DoS |
| libexpat project--libexpat | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | 2026-01-30 | 6.9 | CVE-2026-25210 | https://github.com/libexpat/libexpat/pull/1075 https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7 |
| Limesurvey--LimeSurvey | LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts. | 2026-01-28 | 6.4 | CVE-2020-36993 | ExploitDB-48762 LimeSurvey Official Website LimeSurvey Patch Commit VulnCheck Advisory: LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting |
| linknacional--Link Invoice Payment for WooCommerce | The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the createPartialPayment and cancelPartialPayment functions in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create partial payments on any order or cancel any existing partial payment via ID enumeration. | 2026-01-27 | 5.3 | CVE-2025-14971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96a8fc8b-6f0a-486c-89d1-7211b4ca31bd?source=cve https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L19 https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L179 |
| litonice13--WP Adminify White Label WordPress, Admin Menu Editor, Login Customizer | The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs. | 2026-01-28 | 5.3 | CVE-2026-1060 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54 https://plugins.trac.wordpress.org/changeset/3442928/ |
| localsend--localsend | LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch. | 2026-01-30 | 6.1 | CVE-2026-25154 | https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4 https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c |
| lxicon--Bitcoin Donate Button | The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c973dd9-cfa3-4f06-a25a-c2786e3dca4d?source=cve https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/trunk/btcbutton.php#L1 https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/tags/1.0/btcbutton.php#L1 |
| mamunreza--Vzaar Media Management | The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-28 | 5.3 | CVE-2026-1391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/398a75b1-6470-44b3-aaea-d5e8b10db115?source=cve https://plugins.trac.wordpress.org/browser/vzaar-media-management/trunk/admin/vzaar-media-upload.php#L103 https://plugins.trac.wordpress.org/browser/vzaar-media-management/tags/1.2/admin/vzaar-media-upload.php#L103 |
| mapstructure--mapstructure | A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts. | 2026-01-26 | 5.3 | CVE-2025-11065 | https://access.redhat.com/security/cve/CVE-2025-11065 RHBZ#2391829 https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm |
| metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles. | 2026-01-28 | 5.3 | CVE-2026-1054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=cve https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.9/admin/controllers/class_rm_options_controller.php#L209 https://plugins.trac.wordpress.org/changeset/3444777/ |
| michalc--PDW File Browser | PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversal techniques. | 2026-01-28 | 6.5 | CVE-2020-36973 | ExploitDB-48987 PDW File Browser GitHub Repository VulnCheck Advisory: PDW File Browser 1.3 - Remote Code Execution |
| microsoft--maker.js | Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2. | 2026-01-28 | 6.5 | CVE-2026-24888 | https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8 https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241 |
| midgetspy--Sickbeard | Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively removing authentication protection. | 2026-01-30 | 5.3 | CVE-2020-37026 | ExploitDB-48712 Archived Sickbeard Official Homepage Sickbeard GitHub Repository VulnCheck Advisory: Sickbeard 0.1 - Cross-Site Request Forgery |
| migaweb--Simple calendar for Elementor | The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID. | 2026-01-28 | 5.3 | CVE-2026-1310 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3 https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail= |
| miles99--WP Google Ad Manager Plugin | The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1399 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3185d82-a785-4165-8469-abc0be38f852?source=cve https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/trunk/WP-Google-Ad-Manager.php#L194 https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/tags/1.1.0/WP-Google-Ad-Manager.php#L194 |
| MongoDB--Mongo-c-driver | User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container. | 2026-01-27 | 6.5 | CVE-2025-14911 | https://jira.mongodb.org/browse/CDRIVER-6125 |
| MrPlugins--BootCommerce | BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and application module manipulation. | 2026-02-01 | 6.4 | CVE-2022-50941 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: BootCommerce 3.2.1 Persistent Cross-Site Scripting via Order Checkout |
| Naviwebs S.C.--Navigate CMS | Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation. | 2026-01-30 | 4.3 | CVE-2020-37054 | ExploitDB-48548 Navigate CMS Official Homepage Navigate CMS SourceForge Page VulnCheck Advisory: Navigate CMS 2.8.7 - Cross-Site Request Forgery |
| nebojsadabic--Target Video Easy Publish | The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'placeholder_img' parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-8072 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26e16dd3-66bc-4174-acc1-ee22713ae979?source=cve https://plugins.trac.wordpress.org/browser/brid-video-easy-publish/tags/3.8.6/lib/BridShortcode.php#L204 https://wordpress.org/plugins/brid-video-easy-publish/#developers https://plugins.trac.wordpress.org/changeset/3437514/brid-video-easy-publish/trunk/lib/BridShortcode.php |
| NetArt Media--Easy Cart Shopping Cart | Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. | 2026-02-01 | 6.4 | CVE-2021-47856 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Easy Cart Shopping Cart 2021 Cross-Site Scripting via Search Parameter |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue. | 2026-01-28 | 4.9 | CVE-2026-24766 | https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9 |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue. | 2026-01-28 | 4.9 | CVE-2026-24767 | https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9 |
| NVIDIA--GeForce | NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. | 2026-01-28 | 5.5 | CVE-2025-33237 | https://nvd.nist.gov/vuln/detail/CVE-2025-33237 https://www.cve.org/CVERecord?id=CVE-2025-33237 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options. | 2026-01-27 | 5.9 | CVE-2026-22262 | https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86 https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1 https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521 https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658 https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90 https://redmine.openinfosecfoundation.org/issues/8110 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available. | 2026-01-27 | 5.3 | CVE-2026-22263 | https://github.com/OISF/suricata/security/advisories/GHSA-rwc5-hxj6-hwx7 https://github.com/OISF/suricata/commit/018a377f74e3eb2b042c6f783ad9043060923428 https://redmine.openinfosecfoundation.org/issues/8201 |
| Open5GS--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 69b53add90a9479d7960b822fc60601d659c328b. It is recommended to apply a patch to fix this issue. | 2026-01-28 | 5.3 | CVE-2026-1521 | VDB-343192 | Open5GS SGWC s5c-handler.c denial of service VDB-343192 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738370 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4268 https://github.com/open5gs/open5gs/issues/4268#event-21989483261 https://github.com/open5gs/open5gs/issues/4268#issue-3795012861 https://github.com/open5gs/open5gs/commit/69b53add90a9479d7960b822fc60601d659c328b |
| Open5GS--Open5GS | A weakness has been identified in Open5GS up to 2.7.6. This vulnerability affects the function sgwc_s5c_handle_modify_bearer_response of the file src/sgwc/s5c-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This patch is called b19cf6a. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed. | 2026-01-28 | 5.3 | CVE-2026-1522 | VDB-343193 | Open5GS SGWC s5c-handler.c sgwc_s5c_handle_modify_bearer_response denial of service VDB-343193 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738371 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4266 https://github.com/open5gs/open5gs/issues/4266#event-21968568116 https://github.com/open5gs/open5gs/issues/4266#issue-3794991595 https://github.com/open5gs/open5gs/commit/b19cf6a |
| Open5GS--Open5GS | A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_f_teid_to_ip of the file /sgwc/s11-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack may be performed from remote. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. | 2026-01-29 | 5.3 | CVE-2026-1586 | VDB-343349 | Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service VDB-343349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738375 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4273 https://github.com/open5gs/open5gs/issues/4273#event-21968643659 https://github.com/open5gs/open5gs/issues/4273#issue-3796030721 |
| Open5GS--Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. The affected element is the function sgwc_s11_handle_modify_bearer_request of the file /sgwc/s11-handler.c of the component SGWC. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Applying a patch is the recommended action to fix this issue. The issue report is flagged as already-fixed. | 2026-01-29 | 5.3 | CVE-2026-1587 | VDB-343350 | Open5GS SGWC s11-handler.c sgwc_s11_handle_modify_bearer_request denial of service VDB-343350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738376 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4272 https://github.com/open5gs/open5gs/issues/4272#event-21968635948 https://github.com/open5gs/open5gs/issues/4272#issue-3795156752 |
| OpenZ--OpenZ ERP | OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. | 2026-01-30 | 6.4 | CVE-2020-37022 | ExploitDB-48450 OpenZ Official Website OpenZ Download Page Vulnerability Lab Advisory VulnCheck Advisory: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting |
| opf--openproject | OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable. | 2026-01-28 | 6.3 | CVE-2026-24775 | https://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvc https://github.com/opf/op-blocknote-extensions/releases/tag/v0.0.22 |
| Orchardcore--Orchard Core | Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers. | 2026-01-30 | 6.4 | CVE-2020-37019 | ExploitDB-48456 Orchard Core Official Website Orchard Core GitHub Repository GitHub Issue #5802 VulnCheck Advisory: Orchard Core RC1 - Persistent Cross-Site Scripting |
| Php-Fusion--PHPFusion | PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers. | 2026-01-30 | 6.4 | CVE-2020-36996 | ExploitDB-48497 PHPFusion Official Homepage PHPFusion Download Page VulnCheck Advisory: PHPFusion 9.03.50 - Persistent Cross-Site Scripting |
| PHPGurukul--Hospital Management System | A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-01-28 | 6.3 | CVE-2026-1550 | VDB-343246 | PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization VDB-343246 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739837 | PHPGurukul Hospital Management System v1.0 Missing Authorization https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md https://phpgurukul.com/ |
| PHPGurukul--News Portal | A vulnerability was identified in PHPGurukul News Portal 1.0. This affects an unknown part of the component Profile Pic Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-01-26 | 4.7 | CVE-2026-1424 | VDB-342840 | PHPGurukul News Portal Profile Pic unrestricted upload VDB-342840 | CTI Indicators (IOB, IOC, TTP) Submit #736637 | PHPGurukul News Portal v1.0 Cross Site Scripting https://github.com/rsecroot/News-Portal/blob/main/Cross%20Site%20Scripting.md https://phpgurukul.com/ |
| PHPSUGAR--PHP Melody | PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. | 2026-02-01 | 6.4 | CVE-2021-47912 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Non-Persistent Cross-Site Scripting via Multiple Parameters |
| PHPSUGAR--PHP Melody | PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. | 2026-02-01 | 6.4 | CVE-2021-47913 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Persistent Cross-Site Scripting via Video Editor |
| PHPSUGAR--PHP Melody | PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. Attackers can exploit this vulnerability to execute arbitrary JavaScript, potentially leading to session hijacking, persistent phishing, and manipulation of application modules. | 2026-02-01 | 6.4 | CVE-2021-47914 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Persistent XSS Vulnerability via Edit Video Parameter |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23888 | https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868 https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5 https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23889 | https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0 https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23890 | https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| presstigers--Simple Folio | The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-14039 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c32a71d6-d61c-4f6f-9d35-70140235af7c?source=cve https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L70 https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L70 https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L76 https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L76 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442515%40simple-folio&new=3442515%40simple-folio&sfp_email=&sfph_mail= |
| Product Owner: Webile--Webile | Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensitive system directories and potentially compromise the mobile device's local file system. | 2026-02-01 | 6.5 | CVE-2022-50950 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Webile 1.0.1 Directory Traversal Vulnerability via Web Application |
| psmplugins--SupportCandy Helpdesk & Customer Support Ticket System | The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-31 | 6.5 | CVE-2026-0683 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371 https://plugins.trac.wordpress.org/changeset/3448376/ |
| psmplugins--SupportCandy Helpdesk & Customer Support Ticket System | The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners. | 2026-01-31 | 5.4 | CVE-2026-1251 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603 https://plugins.trac.wordpress.org/changeset/3448376/ |
| pymumu--SmartDNS | A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue. | 2026-01-26 | 5.6 | CVE-2026-1425 | VDB-342841 | pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow VDB-342841 | CTI Indicators (IOB, IOC, IOA) Submit #736827 | pymumu smartdns 47.1 Stack-based Buffer Overflow https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8 |
| QlikTech International AB--QlikView | QlikView 12.50.20000.0 contains a denial of service vulnerability in the FTP server address input field that allows local attackers to crash the application. Attackers can paste a 300-character buffer into the FTP server address field to trigger an application crash and prevent normal functionality. | 2026-01-29 | 6.2 | CVE-2020-36994 | ExploitDB-48732 Vendor Homepage VulnCheck Advisory: QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service |
| QR Menu Pro Smart Menu Systems--Menu Panel | Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 5.7 | CVE-2025-7013 | https://www.usom.gov.tr/bildirim/tr-26-0007 |
| QR Menu Pro Smart Menu Systems--Menu Panel | Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 5.7 | CVE-2025-7014 | https://www.usom.gov.tr/bildirim/tr-26-0007 |
| QWE Labs--QWE DL | QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can exploit the vulnerability to execute persistent cross-site scripting attacks, potentially leading to session hijacking and application module manipulation. | 2026-02-01 | 6.4 | CVE-2023-54343 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: QWE DL 2.0.1 Persistent XSS Vulnerability via Path Parameter |
| recooty--Recooty Job Widget (Old Dashboard) | The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2025-14616 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb14f084-6f36-4702-8a28-b62811739407?source=cve https://plugins.trac.wordpress.org/browser/recooty/trunk/admin/init.php#L72 https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/admin/init.php#L72 https://plugins.trac.wordpress.org/browser/recooty/trunk/init.php#L41 https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/init.php#L41 |
| Red Hat--Red Hat build of Quarkus | A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections. | 2026-01-26 | 4.3 | CVE-2025-14969 | https://access.redhat.com/security/cve/CVE-2025-14969 RHBZ#2423822 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services. | 2026-01-27 | 5.8 | CVE-2026-1467 | https://access.redhat.com/security/cve/CVE-2026-1467 RHBZ#2433174 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. | 2026-01-27 | 5.4 | CVE-2026-1489 | https://access.redhat.com/security/cve/CVE-2026-1489 RHBZ#2433348 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction. | 2026-01-28 | 5.8 | CVE-2026-1536 | https://access.redhat.com/security/cve/CVE-2026-1536 RHBZ#2433834 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data. | 2026-01-28 | 5.8 | CVE-2026-1539 | https://access.redhat.com/security/cve/CVE-2026-1539 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. | 2026-01-26 | 4 | CVE-2025-9820 | https://access.redhat.com/security/cve/CVE-2025-9820 RHBZ#2392528 https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5 https://gitlab.com/gnutls/gnutls/-/issues/1732 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. | 2026-01-27 | 4.2 | CVE-2026-1484 | https://access.redhat.com/security/cve/CVE-2026-1484 RHBZ#2433259 |
| Red Hat--Red Hat OpenShift Virtualization 4 | A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations. | 2026-01-26 | 6.4 | CVE-2025-14525 | https://access.redhat.com/security/cve/CVE-2025-14525 RHBZ#2421360 |
| rupantorpay--Rupantorpay | The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint. | 2026-01-28 | 5.3 | CVE-2025-15511 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172 |
| RustCrypto--signatures | The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue. | 2026-01-28 | 5.3 | CVE-2026-24850 | https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9 https://github.com/RustCrypto/signatures/issues/894 https://github.com/RustCrypto/signatures/pull/895 https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38 https://csrc.nist.gov/pubs/fips/204/final https://datatracker.ietf.org/doc/html/rfc9881 https://github.com/C2SP/wycheproof https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json |
| salihciftci--Liman | Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests. | 2026-01-29 | 5.3 | CVE-2020-37007 | ExploitDB-48869 Archived Liman GitHub Repository VulnCheck Advisory: Liman 0.7 - Cross-Site Request Forgery (Change Password) |
| Salt Project--Salt | Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues. | 2026-01-30 | 6.2 | CVE-2025-62349 | Salt 3006.17 release notes (fix and minimum_auth_version) Salt 3007.9 release notes (fix and minimum_auth_version) |
| Sangfor--Operation and Maintenance Security Management System | A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-01-26 | 6.3 | CVE-2026-1413 | VDB-342802 | Sangfor Operation and Maintenance Security Management System HTTP POST Request port_validate portValidate command injection VDB-342802 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736522 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injection https://github.com/LX-LX88/cve/issues/23 |
| Sangfor--Operation and Maintenance Security Management System | A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/get_Information of the component HTTP POST Request Handler. Executing a manipulation of the argument fortEquipmentIp can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-26 | 6.3 | CVE-2026-1414 | VDB-342803 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_Information getInformation command injection VDB-342803 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736524 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injection https://github.com/LX-LX88/cve/issues/24 |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted. | 2026-01-27 | 4.3 | CVE-2026-23683 | https://me.sap.com/notes/3122486 https://url.sap/sapsecuritypatchday |
| Sellacious--Sellacious eCommerce | Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules. | 2026-01-30 | 6.4 | CVE-2020-37003 | ExploitDB-48467 Official Sellacious eCommerce Homepage Sellacious Product Details Vulnerability Lab Advisory VulnCheck Advisory: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting |
| SEMCMS--SEMCMS | A security vulnerability has been detected in SEMCMS 5.0. This vulnerability affects unknown code of the file /SEMCMS_Info.php. The manipulation of the argument searchml leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 6.3 | CVE-2026-1552 | VDB-343248 | SEMCMS SEMCMS_Info.php sql injection VDB-343248 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740549 | SEMCMS SEMCMS 外贸网站php多è¯è¨€ç‰ˆ V5.0 SQL Injection https://github.com/Sqli22/Sqli/issues/4 |
| seomantis--SEO Links Interlinking | The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-28 | 6.1 | CVE-2025-14063 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d71143d6-d477-4a63-8f99-f4cc8a590536?source=cve https://wordpress.org/plugins/seo-links-interlinking/ https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L504 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L504 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L512 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L512 |
| Simplephpscripts--Simple CMS | Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview, potentially leading to session hijacking and application manipulation. | 2026-02-01 | 6.4 | CVE-2021-47917 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 Persistent Cross-Site Scripting via User Input Parameters |
| Simplephpscripts--Simple CMS | Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. | 2026-02-01 | 6.4 | CVE-2021-47919 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 Non-Persistent Cross-Site Scripting via Preview Parameter |
| smarterDroid--WiFi File Transfer | WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions. | 2026-02-01 | 6.4 | CVE-2022-50951 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: WiFi File Transfer 1.0.8 Persistent XSS via Web Server Input Validation |
| SourceCodester--Pet Grooming Management Software | A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/operation/user.php of the component User Management. Performing a manipulation of the argument group_id results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-01-30 | 6.3 | CVE-2026-1702 | VDB-343492 | SourceCodester Pet Grooming Management Software User Management user.php improper authorization VDB-343492 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742226 | SourceCodester Pet grooming management software 1.0 Improper Access Controls https://github.com/Asim-QAZi/Improper-Access-Control---in-Pet-Grooming-Management-Software https://www.sourcecodester.com/ |
| stellar--rs-soroban-sdk | soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow. | 2026-01-28 | 5.3 | CVE-2026-24889 | https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-96xm-fv9w-pf3f https://github.com/stellar/rs-soroban-sdk/pull/1703 https://github.com/stellar/rs-soroban-sdk/commit/3890521426d71bb4d892b21f5a283a1e836cfa38 https://github.com/stellar/rs-soroban-sdk/commit/59fcef437260ed4da42d1efb357137a5c166c02e https://github.com/stellar/rs-soroban-sdk/commit/c2757c6d774dbb28b34a0b77ffe282e59f0f8462 https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.9 https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.1 https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.0.2 |
| supercleanse--Stripe Payments by Buy Now Plus Best WordPress Stripe Credit Card Payments Plugin | The Buy Now Plus - Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2026-1295 | https://www.wordfence.com/threat-intel/vulnerabilities/id/87d228bb-eb5b-44ca-91f7-ada730635a3f?source=cve https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L17 https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L36 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444416%40buy-now-plus&new=3444416%40buy-now-plus&sfp_email=&sfph_mail= |
| symfony--symfony | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as "special" when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2's argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior. | 2026-01-28 | 6.3 | CVE-2026-24739 | https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6 https://github.com/symfony/symfony/issues/62921 https://github.com/symfony/symfony/pull/63164 https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3 https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b |
| Tanium--Asset | Tanium addressed a SQL injection vulnerability in Asset. | 2026-01-28 | 6.3 | CVE-2025-15344 | TAN-2025-035 |
| Tanium--Discover | Tanium addressed an uncontrolled resource consumption vulnerability in Discover. | 2026-01-26 | 4.9 | CVE-2026-1224 | TAN-2026-001 |
| Tanium--Tanium Server | Tanium addressed an improper access controls vulnerability in Tanium Server. | 2026-01-30 | 4.3 | CVE-2025-15322 | TAN-2025-028 |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cleartext. This can result in disclosure of sensitive information. | 2026-01-29 | 6.5 | CVE-2026-23564 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service. | 2026-01-29 | 6.5 | CVE-2026-23565 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to inject, tamper with, or forge log entries in \Nomad Branch.log via crafted data sent to the UDP network handler. This can impact log integrity and nonrepudiation. | 2026-01-29 | 6.5 | CVE-2026-23566 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets. | 2026-01-29 | 6.5 | CVE-2026-23567 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows a remote attacker to leak stack memory and cause a denial of service via a crafted request. The leaked stack memory could be used to bypass ASLR remotely and facilitate exploitation of other vulnerabilities on the affected system. | 2026-01-29 | 6.5 | CVE-2026-23569 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A missing validation of a user-controlled value in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to tamper with log timestamps via crafted UDP Sync command. This could result in forged or nonsensical datetime prefixes and compromising log integrity and forensic correlation. | 2026-01-29 | 6.5 | CVE-2026-23570 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-RunPkgStatusRequest instruction. Improper input validation allows authenticated attackers with actioner privilege to run elevated arbitrary commands on connected hosts via malicious commands injected into the instruction's input field. Users of 1E Client version 24.5 or higher are not affected. | 2026-01-29 | 6.8 | CVE-2026-23571 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/ |
| TeamViewer--DEX | Improper Link Resolution Before File Access (invoked by 1E Explorer TachyonCore DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that is followed when the delete instruction executes. | 2026-01-29 | 5.7 | CVE-2026-23563 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/ |
| TeamViewer--DEX | An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause information disclosure or denial-of-service via a special crafted packet. The leaked memory could be used to bypass ASLR and facilitate further exploitation. | 2026-01-29 | 5.4 | CVE-2026-23568 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| Tenda--AC21 | A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1638 | VDB-343417 | Tenda AC21 mDMZSetCfg command injection VDB-343417 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740871 | Tenda AC21 V16.03.08.16 Command Injection https://github.com/LX-LX88/cve/issues/26 https://www.tenda.com.cn/ |
| Tenda--HG10 | A flaw has been found in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. This affects the function system of the file /boaform/formSysCmd. This manipulation of the argument sysCmd causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-01-30 | 4.7 | CVE-2026-1690 | VDB-343484 | Tenda HG10 formSysCmd system command injection VDB-343484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741425 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md#poc https://www.tenda.com.cn/ |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch. | 2026-01-27 | 4.7 | CVE-2026-24686 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4 https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0 |
| thewebfosters-thewebfosters | Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions. | 2026-02-01 | 6.4 | CVE-2021-47908 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name |
| tigroumeow--AI Engine The Chatbot and AI Framework for WordPress | The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if "Public API" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server. | 2026-01-27 | 6.4 | CVE-2026-0746 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbba866d-93dd-4ef5-9670-ab958f61f06e?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.1/classes/engines/chatml.php#L946 https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/engines/chatml.php |
| Tildeslash Ltd.--M/Monit | M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users. | 2026-01-28 | 6.5 | CVE-2020-36968 | ExploitDB-49081 M/Monit Official Vendor Homepage VulnCheck Advisory: M/Monit 3.7.4 - Password Disclosure |
| Totolink--A7000R | A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-01-28 | 6.3 | CVE-2026-1547 | VDB-343231 | Totolink A7000R cstecgi.cgi setUnloadUserData command injection VDB-343231 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739713 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md#poc https://www.totolink.net/ |
| Totolink--A7000R | A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument url causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-01-28 | 6.3 | CVE-2026-1548 | VDB-343232 | Totolink A7000R cstecgi.cgi CloudACMunualUpdateUserdata command injection VDB-343232 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739715 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md#poc https://www.totolink.net/ |
| Totolink--A7000R | A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1601 | VDB-343373 | Totolink A7000R cstecgi.cgi setUploadUserData command injection VDB-343373 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740760 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md#poc https://www.totolink.net/ |
| Totolink--A7000R | A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1623 | VDB-343382 | Totolink A7000R cstecgi.cgi setUpgradeFW command injection VDB-343382 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740767 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md#poc https://www.totolink.net/ |
| TrustTunnel--TrustTunnel | TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115. | 2026-01-29 | 5.3 | CVE-2026-24904 | https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87 https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6 |
| Tryton--Tryton | Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces. | 2026-01-30 | 6.4 | CVE-2020-37014 | ExploitDB-48466 Official Tryton Homepage Tryton Download Page Vulnerability Lab Advisory VulnCheck Advisory: Tryton 5.4 - Persistent Cross-Site Scripting |
| vercel--next | A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications. | 2026-01-26 | 5.9 | CVE-2025-59471 | https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f |
| vercel--next | A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications. | 2026-01-26 | 5.9 | CVE-2025-59472 | https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h |
| vinod-dalvi--Ivory Search WordPress Search Plugin | The Ivory Search - WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1053 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cdc5ef6a-32d8-4c4b-b459-d9b543b56898?source=cve https://plugins.svn.wordpress.org/add-search-to-menu/tags/5.5.13/public/class-is-public.php https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L204 https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L249 https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/partials/is-ajax-results.php#L148 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444659%40add-search-to-menu&new=3444659%40add-search-to-menu&sfp_email=&sfph_mail= |
| vlt--vlt | vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction. | 2026-01-27 | 5.9 | CVE-2026-24909 | https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10 https://github.com/vltpkg/vltpkg/pull/1334 https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act |
| webaways--NEX-Forms Ultimate Forms Plugin for WordPress | The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter. | 2026-01-31 | 5.3 | CVE-2025-15510 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddfa5a3d-fef2-4049-915c-51c3e28153bf?source=cve https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.7/includes/classes/class.export.php#L11 |
| webguyio--Stop Spammers Classic | The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1. | 2026-01-28 | 4.3 | CVE-2025-14795 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21 https://plugins.trac.wordpress.org/changeset/3436357/ https://plugins.trac.wordpress.org/changeset/3440788/ |
| WebMO, LLC--WebMO Job Manager | WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects. | 2026-02-01 | 5.4 | CVE-2021-47920 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: WebMO Job Manager 20.0 Cross-Site Scripting via Search Parameters |
| WellChoose--Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2026-01-26 | 5.4 | CVE-2026-1429 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| withstudiocms--studiocms | StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue. | 2026-01-27 | 6.5 | CVE-2026-24134 | https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932 https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0 |
| wpbits--WPBITS Addons For Elementor Page Builder | The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-9082 | https://www.wordfence.com/threat-intel/vulnerabilities/id/99b47856-502e-4e9d-b0ea-62c57509b46a?source=cve https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/image_compare.php#L607 https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/tooltip.php#L860 https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/text_rotator.php#L369 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442812%40wpbits-addons-for-elementor&new=3442812%40wpbits-addons-for-elementor&sfp_email=&sfph_mail= |
| wpblockart--BlockArt Blocks Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-14283 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9526a8b-fefe-4ca6-871f-1ead3f498679?source=cve https://plugins.trac.wordpress.org/browser/blockart-blocks/trunk/dist/counter.js |
| wpchill--Passster Password Protect Pages and Content | The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21. | 2026-01-28 | 6.4 | CVE-2025-14865 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136 https://plugins.trac.wordpress.org/changeset/3422595/ https://plugins.trac.wordpress.org/changeset/3439532/ |
| wpcodefactory--Order Minimum/Maximum Amount Limits for WooCommerce | The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1381 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f54f117-0dde-49f9-8014-7650bc1a00ac?source=cve https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/settings/class-alg-wc-oma-settings-general.php https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/class-alg-wc-oma-core.php#L86 https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/tags/4.6.8/includes/class-alg-wc-oma-core.php#L86 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447432%40order-minimum-amount-for-woocommerce&new=3447432%40order-minimum-amount-for-woocommerce&sfp_email=&sfph_mail= |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails. | 2026-01-31 | 5.3 | CVE-2026-1431 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25 |
| Xeroneit--Xeroneit Library Management System | Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded. | 2026-01-26 | 6.4 | CVE-2020-36954 | ExploitDB-49292 Vendor Homepage Software Product Page VulnCheck Advisory: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS |
| zephyrproject-rtos--Zephyr | A flaw in Zephyr's network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem. | 2026-01-30 | 6.5 | CVE-2025-12899 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c2vg-hj83-c2vg |
| Zhong Bang--CRMEB | A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-01 | 5.3 | CVE-2026-1734 | VDB-343633 | Zhong Bang CRMEB crontab Endpoint CrontabController.php authorization VDB-343633 | CTI Indicators (IOB, IOC, IOA) Submit #736619 | Zhongbang CRMEB v5.6.3 Missing Authorization https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md#proof-of-concept |
| Zhong Bang--CRMEB | A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-01 | 4.3 | CVE-2026-1733 | VDB-343632 | Zhong Bang CRMEB :uni tidyOrder improper authorization VDB-343632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736558 | Zhongbang CRMEB v5.6.3 Improper Access Controls https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0 |
| Zohocorp--ManageEngine OpManager | Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. | 2026-01-30 | 4.6 | CVE-2025-9226 | https://www.manageengine.com/itom/advisory/cve-2025-9226.html |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Bdtask--Bhojon All-In-One Restaurant Management System | A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 3.5 | CVE-2026-1598 | VDB-343360 | Bdtask Bhojon All-In-One Restaurant Management System User Information profile cross site scripting VDB-343360 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740738 | Bdtask Bhojon All-In-One Restaurant Management System Latest Stored Cross-Site Scripting https://github.com/4m3rr0r/PoCVulDb/issues/12 |
| Brother Industries, Ltd.--Multiple MFPs | Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates. | 2026-01-29 | 3.7 | CVE-2025-53869 | https://faq.brother.co.jp/app/answers/detail/a_id/13716 https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000001 https://jvn.jp/en/vu/JVNVU92878805/ |
| code-projects--Online Examination System | A vulnerability has been found in code-projects Online Examination System 1.0. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-01-26 | 3.5 | CVE-2026-1421 | VDB-342837 | code-projects Online Examination System Add Pages cross site scripting VDB-342837 | CTI Indicators (IOB, IOC, TTP) Submit #736605 | code-projects Online Examination System 1 Cross Site Scripting https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-1-stored-xss-in-all-add-pages https://code-projects.org/ |
| D-Link--DCS-700L | A vulnerability was identified in D-Link DCS-700L 1.03.09. The affected element is the function uploadmusic of the file /setUploadMusic of the component Music File Upload Service. The manipulation of the argument UploadMusic leads to path traversal. The attack can only be initiated within the local network. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 2.4 | CVE-2026-1532 | VDB-343218 | D-Link DCS-700L Music File Upload Service setUploadMusic uploadmusic path traversal VDB-343218 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738693 | D-Link DCS700l v1.03.09 Absolute Path Traversal https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Path-Traversal-Vulnerability-in-Music-File-Upload-2e8b5c52018a80369553f07ab91aabe2?source=copy_link https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. | 2026-01-30 | 3.7 | CVE-2026-1685 | VDB-343479 | D-Link DIR-823X Login sub_40AC74 excessive authentication VDB-343479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740886 | D-Link dir-823X 250416 A logical flaw in the authentication mechanism exists https://github.com/master-abc/cve/issues/17 https://www.dlink.com/ |
| D-Link--DSL-6641K | A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-30 | 2.4 | CVE-2026-1705 | VDB-343510 | D-Link DSL-6641K Web ad_virtual_server_vdsl cross site scripting VDB-343510 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742421 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-ad_virtual_server_vdsl-Configuration-2eeb5c52018a805d97adfb23dfec39c9?source=copy_link https://www.dlink.com/ |
| GnuPG--GnuPG | In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash). | 2026-01-27 | 3.7 | CVE-2026-24883 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8049 |
| GPAC--GPAC | A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch. | 2026-01-26 | 3.3 | CVE-2026-1415 | VDB-342804 | GPAC media_export.c gf_media_export_webvtt_metadata null pointer dereference VDB-342804 | CTI Indicators (IOB, IOC, IOA) Submit #736541 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3428 https://github.com/gpac/gpac/issues/3428#issue-3802223345 https://github.com/enocknt/gpac/commit/af951b892dfbaaa38336ba2eba6d6a42c25810fd |
| GPAC--GPAC | A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue. | 2026-01-26 | 3.3 | CVE-2026-1416 | VDB-342805 | GPAC filedump.c DumpMovieInfo null pointer dereference VDB-342805 | CTI Indicators (IOB, IOC, IOA) Submit #736542 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3427 https://github.com/gpac/gpac/issues/3427#issue-3802197432 https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68 |
| GPAC--GPAC | A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue. | 2026-01-26 | 3.3 | CVE-2026-1417 | VDB-342806 | GPAC filedump.c dump_isom_rtp null pointer dereference VDB-342806 | CTI Indicators (IOB, IOC, IOA) Submit #736543 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3426 https://github.com/gpac/gpac/issues/3426#issue-3802172856 https://github.com/enocknt/gpac/commit/f96bd57c3ccdcde4335a0be28cd3e8fe296993de |
| iJason-Liu--Books_Manager | A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2026-01-26 | 2.4 | CVE-2026-1444 | VDB-342873 | iJason-Liu Books_Manager add_book_check.php cross site scripting VDB-342873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736968 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 Stored XSS https://blog.y1fan.work/2026/01/13/%E5%AD%98%E5%82%A8%E5%9E%8Bxss/ |
| ixray-team--ixray-1.6-stcop | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 3.7 | CVE-2026-24870 | https://github.com/ixray-team/ixray-1.6-stcop/pull/258 |
| jishenghua--jshERP | A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-29 | 2.7 | CVE-2026-1588 | VDB-343351 | jishenghua jshERP installByPath install path traversal VDB-343351 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740649 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal https://github.com/jishenghua/jshERP/issues/147 https://github.com/jishenghua/jshERP/ |
| llamastack--Llama Stack | Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. | 2026-01-30 | 3.2 | CVE-2026-25211 | https://github.com/llamastack/llama-stack/pull/4439 https://github.com/llamastack/llama-stack/compare/v0.4.0rc2...v0.4.0rc3 |
| MoonshotAI--kimi-agent-sdk | Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository's development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts. | 2026-01-29 | 2.9 | CVE-2026-25046 | https://github.com/MoonshotAI/kimi-agent-sdk/security/advisories/GHSA-mv58-gxx5-8hj3 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default. | 2026-01-27 | 3.7 | CVE-2026-22261 | https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44 https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667 https://redmine.openinfosecfoundation.org/issues/8156 |
| projectworlds--House Rental and Property Listing | A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-30 | 3.5 | CVE-2026-1700 | VDB-343490 | projectworlds House Rental and Property Listing sms.php cross site scripting VDB-343490 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741977 | projectworlds.com House rental And Property Listing Project V1.0 cross site scripting https://github.com/jiahao412/CVE/issues/3 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. | 2026-01-26 | 3.1 | CVE-2026-1190 | https://access.redhat.com/security/cve/CVE-2026-1190 RHBZ#2430835 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. | 2026-01-27 | 2.8 | CVE-2026-1485 | https://access.redhat.com/security/cve/CVE-2026-1485 RHBZ#2433325 |
| rethinkdb--rethinkdb | A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-28 | 2.4 | CVE-2026-1520 | VDB-343191 | rethinkdb Secondary Index cross site scripting VDB-343191 | CTI Indicators (IOB, IOC, TTP) Submit #738312 | rethinkdb V2.4.3(latest) cross-site scripting(XSS) https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md#poc |
| Tanium--Discover | Tanium addressed an improper input validation vulnerability in Discover. | 2026-01-26 | 2.7 | CVE-2026-0925 | TAN-2026-002 |
| Tanium--Interact | Tanium addressed an improper access controls vulnerability in Interact. | 2026-01-29 | 3.1 | CVE-2025-15288 | TAN-2025-034 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| aangine--aangine | An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints | 2026-01-26 | not yet calculated | CVE-2025-67274 | https://aangine.com https://continuous.software/products https://gist.github.com/c4m0uflag3/26fec868b764c4e7314ad246bab01c88 |
| abcz316--SKRoot-linuxKernelRoot | NULL Pointer Dereference vulnerability in abcz316 SKRoot-linuxKernelRoot (testRoot/jni/utils modules). This vulnerability is associated with program files cJSON.Cpp. This issue affects SKRoot-linuxKernelRoot. | 2026-01-27 | not yet calculated | CVE-2026-24813 | https://github.com/abcz316/SKRoot-linuxKernelRoot/pull/116 |
| Acronis--Acronis Cloud Manager | Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cloud Manager (Windows) before build 6.4.25342.354. | 2026-01-27 | not yet calculated | CVE-2026-0705 | SEC-7316 |
| AhaChat--AhaChat Messenger Marketing | The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2026-01-26 | not yet calculated | CVE-2025-14316 | https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c/ |
| akuity--kargo | Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue. | 2026-01-27 | not yet calculated | CVE-2026-24748 | https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5 https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772 https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7 https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c |
| ALSA Project--alsa-lib | alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash. | 2026-01-29 | not yet calculated | CVE-2026-25068 | https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow |
| Altitude--Altitude Communication Server | Illegal HTTP request traffic vulnerability (CL.0) in Altitude Communication Server, caused by inconsistent analysis of multiple HTTP requests over a single Keep-Alive connection using Content-Length headers. This can cause a desynchronization of requests between frontend and backend servers, which could allow request hiding, cache poisoning or security bypass. | 2026-01-26 | not yet calculated | CVE-2025-41082 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server |
| Altitude--Altitude Communication Server | Vulnerability in Altitude Authentication Service and Altitude Communication Server v8.5.3290.0 by Altitude, where manipulation of Host header in HTTP requests allows redirection to an arbitrary URL or modification of the base URL to trick the victim into sending login credentials to a malicious website. This behavior can be used to redirect clients to endpoints controlled by the attacker. | 2026-01-26 | not yet calculated | CVE-2025-41083 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server |
| AltumCode--AltumCode | A directory traversal (Zip Slip) vulnerability exists in the "Static Sites" feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten. | 2026-01-28 | not yet calculated | CVE-2025-69601 | https://gist.github.com/Waqar-Arain/9cd59aa74de540eeb3b09d15bac35e36 |
| AltumCode--AltumCode | A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser, allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session. | 2026-01-28 | not yet calculated | CVE-2025-69602 | https://gist.github.com/Waqar-Arain/c8117308325a91b8f3b7829646915275 |
| Amidaware--Amidaware | A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible. | 2026-01-29 | not yet calculated | CVE-2025-69516 | https://github.com/amidaware/tacticalrmm https://www.amidaware.com/ https://gist.github.com/NtGabrielGomes/7c424367cc316fd7527f668ff076fece |
| Amidaware--Amidaware | An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator attempts to remove or shut down the affected agent, potentially leading to client-side attacks such as UI manipulation or phishing. NOTE: the Supplier's position is that this has incorrect information. | 2026-01-28 | not yet calculated | CVE-2025-69517 | https://github.com/amidaware/tacticalrmm https://www.amidaware.com/ https://gist.github.com/NtGabrielGomes/fdabcd9e85d841c5490739686e0f8b72 |
| amir20--dozzle | Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle's agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out of scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24740 | https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5 https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1 https://github.com/amir20/dozzle/releases/tag/v9.0.3 |
| anyrtcIO-Community--anyRTC-RTMP-OpenSource | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C. This issue affects anyRTC-RTMP-OpenSource: before 1.0. | 2026-01-27 | not yet calculated | CVE-2026-1465 | https://github.com/anyrtcIO-Community/anyRTC-RTMP-OpenSource/pull/166 |
| Apache Software Foundation--Apache Karaf | Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue. | 2026-01-26 | not yet calculated | CVE-2026-24656 | https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34 |
| Apache Software Foundation--HDFS native client | Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | 2026-01-26 | not yet calculated | CVE-2025-27821 | https://lists.apache.org/thread/kwjhyyx0wl2z9b0mw0styjk0hhdbyplh |
| Apple--iOS and iPadOS | The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. Processing a maliciously crafted Keynote file may disclose memory contents. | 2026-01-28 | not yet calculated | CVE-2025-46306 | https://support.apple.com/en-us/125108 https://support.apple.com/en-us/126254 https://support.apple.com/en-us/125110 |
| Apple--macOS | An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory. | 2026-01-28 | not yet calculated | CVE-2025-46316 | https://support.apple.com/en-us/125634 https://support.apple.com/en-us/126255 https://support.apple.com/en-us/125632 |
| askbot--askbot | All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2. | 2026-01-27 | not yet calculated | CVE-2026-1213 | https://fluidattacks.com/advisories/ghost https://askbot.com/ https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d |
| assertj--assertj | AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. | 2026-01-26 | not yet calculated | CVE-2026-24400 | https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7 |
| Atlassian--Crowd Data Center | This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3 See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). This vulnerability was reported via our Atlassian (Internal) program. | 2026-01-28 | not yet calculated | CVE-2026-21569 | https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819 https://jira.atlassian.com/browse/CWD-6453 |
| azerothcore--azerothcore-wotlk | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in azerothcore azerothcore-wotlk (deps/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects azerothcore-wotlk: through v4.0.0. | 2026-01-27 | not yet calculated | CVE-2026-24793 | https://github.com/azerothcore/azerothcore-wotlk/pull/21599 |
| briandilley--jsonrpc4j | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java. This issue affects jsonrpc4j: through 1.6.0. | 2026-01-27 | not yet calculated | CVE-2026-24802 | https://github.com/briandilley/jsonrpc4j/pull/333 |
| Budibase--budibase | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available. | 2026-01-29 | not yet calculated | CVE-2026-25040 | https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt |
| bytecodealliance--wasmtime | Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime. | 2026-01-27 | not yet calculated | CVE-2026-24116 | https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73 https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6 https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440 https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227 https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps https://docs.wasmtime.dev/stability-release.html https://rustsec.org/advisories/RUSTSEC-2026-0006.html |
| Cacti--Cacti | A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. | 2026-01-29 | not yet calculated | CVE-2025-45160 | https://github.com/Cacti/cacti https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32 |
| cadaver--turso3d | Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d. This issue affects . | 2026-01-27 | not yet calculated | CVE-2026-24826 | https://github.com/cadaver/turso3d/pull/11 |
| Canonical--juju | Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing. | 2026-01-28 | not yet calculated | CVE-2026-1237 | https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x |
| CardboardPowered--cardboard | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in CardboardPowered cardboard (src/main/java/org/cardboardpowered/impl/world modules). This vulnerability is associated with program files WorldImpl.Java. This issue affects cardboard: before 1.21.4. | 2026-01-27 | not yet calculated | CVE-2026-24794 | https://github.com/CardboardPowered/cardboard/pull/506 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability. | 2026-01-30 | not yet calculated | CVE-2026-24855 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767 https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914 https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28 |
| CloverHackyColor--CloverBootloader | Out-of-bounds Write vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regcomp.C. This issue affects CloverBootloader: before 5162. | 2026-01-27 | not yet calculated | CVE-2026-24795 | https://github.com/CloverHackyColor/CloverBootloader/pull/733 |
| CloverHackyColor--CloverBootloader | Out-of-bounds Read vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regparse.C. This issue affects CloverBootloader: before 5162. | 2026-01-27 | not yet calculated | CVE-2026-24796 | https://github.com/CloverHackyColor/CloverBootloader/pull/732 |
| code-projects--code-projects | code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php. | 2026-01-27 | not yet calculated | CVE-2025-69559 | https://gitee.com/Z_180yc/zyy/issues/IDBY27 https://gist.github.com/lih28984-commits/cd3a275dfd9c92a79b6a4a0e8801f4fa |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter. | 2026-01-27 | not yet calculated | CVE-2025-69562 | https://gitee.com/Z_180yc/zyy/issues/IDC5FU https://gist.github.com/lih28984-commits/a847a034c3bb626904dcc6ab7576257f |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExLogin.php via the Password parameter. | 2026-01-27 | not yet calculated | CVE-2025-69563 | https://gitee.com/Z_180yc/zyy/issues/IDC3IB https://gist.github.com/lih28984-commits/544eaaca3ea58563a807c43b521d76e6 |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters. | 2026-01-27 | not yet calculated | CVE-2025-69564 | https://gitee.com/Z_180yc/zyy/issues/IDCEJP https://gist.github.com/lih28984-commits/87eacfc32186020a04e03a2af448723f |
| code-projects--code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. | 2026-01-27 | not yet calculated | CVE-2025-69565 | https://gitee.com/Z_180yc/zyy/issues/IDCFAQ https://gist.github.com/lih28984-commits/81d523afde3b122c652f652bab808e33 |
| coolsnowwolf--lede | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. | 2026-01-27 | not yet calculated | CVE-2026-24803 | https://github.com/coolsnowwolf/lede/pull/13346 |
| coolsnowwolf--lede | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7603e/src/mt7603_wifi/common modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. | 2026-01-27 | not yet calculated | CVE-2026-24804 | https://github.com/coolsnowwolf/lede/pull/13368 |
| CPU-Z--CPU-Z | The kernel driver of CPUID CPU-Z v2.17 and earlier does not validate user-supplied values passed via its IOCTL interface, allowing an attacker to access sensitive information via a crafted request. | 2026-01-27 | not yet calculated | CVE-2025-65264 | https://www.cpuid.com/softwares/cpu-z.html https://github.com/cwjchoi01/CVE-2025-65264 |
| datavane--tis | Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0. | 2026-01-27 | not yet calculated | CVE-2026-24815 | https://github.com/datavane/tis/pull/443 |
| datavane--tis | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java. This issue affects tis: before v4.3.0. | 2026-01-27 | not yet calculated | CVE-2026-24816 | https://github.com/datavane/tis/pull/444 |
| davisking--dlib | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in davisking dlib (dlib/external/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects dlib: before v19.24.9. | 2026-01-27 | not yet calculated | CVE-2026-24799 | https://github.com/davisking/dlib/pull/3063 |
| Delinea Inc.--Secret Server On-Prem | Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules). This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails. | 2026-01-27 | not yet calculated | CVE-2025-12810 | https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-9-000047.htm https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | not yet calculated | CVE-2025-68660 | https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched. | 2026-01-28 | not yet calculated | CVE-2025-68666 | https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied. | 2026-01-28 | not yet calculated | CVE-2025-69218 | https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w |
| discourse--discourse | Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting. | 2026-01-28 | not yet calculated | CVE-2025-69289 | https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq |
| discourse--discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | not yet calculated | CVE-2026-23743 | https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv |
| DokuWiki--DokuWiki | aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php. | 2026-01-30 | not yet calculated | CVE-2025-51958 | https://www.dokuwiki.org/plugin:runcommand https://github.com/aelsantex/runcommand https://gist.github.com/NtustLin/f64528002e4f61874045799127dc49a4 |
| dormakaba--Access Manager 92xx-k5 | The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet. | 2026-01-26 | not yet calculated | CVE-2025-59097 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket. A tool called TraceClient.exe, provided by dormakaba via the Access Manager web interface, is used to connect to the socket and receive debug information. The data is permanently broadcasted on the TCP socket. The socket can be accessed without any authentication or encryption. The transmitted data is based on the set verbosity level. The verbosity level can be set using the http(s) endpoint with the service interface password or with the guessable identifier of the device via the SOAP interface. The transmitted data contains sensitive data like the Card ID as well as all button presses on Registration units. This allows an attacker with network level access to retrieve all entered PINs on a registration unit. | 2026-01-26 | not yet calculated | CVE-2025-59098 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication. Hence, it is possible to retrieve all files stored on the file system, including the SQLite database Database.sq3, containing badge information and the corresponding PIN codes. Additionally, when trying to access certain files, the web server crashes and becomes unreachable for about 60 seconds. This can be abused to continuously send the request and cause denial of service. | 2026-01-26 | not yet calculated | CVE-2025-59099 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more. | 2026-01-26 | not yet calculated | CVE-2025-59100 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface. | 2026-01-26 | not yet calculated | CVE-2025-59101 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device. | 2026-01-26 | not yet calculated | CVE-2025-59102 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet. | 2026-01-26 | not yet calculated | CVE-2025-59103 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database. | 2026-01-26 | not yet calculated | CVE-2025-59105 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set statically and can be extracted. This password was valid for multiple observed firmware versions. | 2026-01-26 | not yet calculated | CVE-2025-59107 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k5 | By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced. | 2026-01-26 | not yet calculated | CVE-2025-59108 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k7 | With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability. | 2026-01-26 | not yet calculated | CVE-2025-59104 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Access Manager 92xx-k7 | The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges. | 2026-01-26 | not yet calculated | CVE-2025-59106 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--dormakaba registration unit 9002 | The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi). | 2026-01-26 | not yet calculated | CVE-2025-59109 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards. | 2026-01-26 | not yet calculated | CVE-2025-59090 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors. | 2026-01-26 | not yet calculated | CVE-2025-59091 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | An RPC service, which is part of exos 9300, is reachable on port 4000, run by the process FSMobilePhoneInterface.exe. This service is used for interprocess communication between services and the Kaba exos 9300 GUI, containing status information about the Access Managers. Interacting with the service does not require any authentication. Therefore, it is possible to send arbitrary status information about door contacts etc. without prior authentication. | 2026-01-26 | not yet calculated | CVE-2025-59092 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | Exos 9300 instances are using a randomly generated database password to connect to the configured MSSQL server. The password is derived from static random values, which are concatenated to the hostname and a random string that can be read by every user from the registry. This allows an attacker to derive the database password and get authenticated access to the central exos 9300 database as the user Exos9300Common. The user has the roles ExosDialog and ExosDialogDotNet assigned, which are able to read most tables of the database as well as update and insert into many tables. | 2026-01-26 | not yet calculated | CVE-2025-59093 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | A local privilege escalation vulnerability has been identified in the Kaba exos 9300 System management application (d9sysdef.exe). Within this application it is possible to specify an arbitrary executable as well as the weekday and start time, when the specified executable should be run with SYSTEM privileges. | 2026-01-26 | not yet calculated | CVE-2025-59094 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function "EncryptAndDecrypt" in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined with a cryptographic key (cryptoKey) to transform each character of the input string. However, it's important to note that this implementation does not provide strong encryption and should not be considered secure for sensitive data. It's more of a custom encryption approach rather than a common algorithm used in cryptographic applications. The key itself is static and based on the founder's name of the company. The functionality is for example used to encrypt the user PINs before storing them in the MSSQL database. | 2026-01-26 | not yet calculated | CVE-2025-59095 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba--Kaba exos 9300 | The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation. | 2026-01-26 | not yet calculated | CVE-2025-59096 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| Drupal--Acquia Content Hub | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery. This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. | 2026-01-28 | not yet calculated | CVE-2025-14472 | https://www.drupal.org/sa-contrib-2025-125 |
| Drupal--AI (Artificial Intelligence) | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS). This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. | 2026-01-28 | not yet calculated | CVE-2025-13981 | https://www.drupal.org/sa-contrib-2025-119 |
| Drupal--CKEditor 5 Premium Features | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass. This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. | 2026-01-28 | not yet calculated | CVE-2025-13980 | https://www.drupal.org/sa-contrib-2025-118 |
| Drupal--Disable Login Page | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass. This issue affects Disable Login Page: from 0.0.0 before 1.1.3. | 2026-01-28 | not yet calculated | CVE-2025-13986 | https://www.drupal.org/sa-contrib-2025-124 |
| Drupal--Drupal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS). This issue affects Drupal: from 7.X-1.0 through 7.X-1.22. | 2026-01-28 | not yet calculated | CVE-2026-0749 | https://www.herodevs.com/vulnerability-directory/cve-2026-0749 https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting |
| Drupal--Drupal Commerce Paybox | Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass. This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5. | 2026-01-28 | not yet calculated | CVE-2026-0750 | https://www.herodevs.com/vulnerability-directory/cve-2026-0750 https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability |
| Drupal--Entity Share | Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing. This issue affects Entity Share: from 0.0.0 before 3.13.0. | 2026-01-28 | not yet calculated | CVE-2025-13985 | https://www.drupal.org/sa-contrib-2025-123 |
| Drupal--HTTP Client Manager | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing. This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1. | 2026-01-28 | not yet calculated | CVE-2025-14840 | https://www.drupal.org/sa-contrib-2025-126 |
| Drupal--Login Time Restriction | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery. This issue affects Login Time Restriction: from 0.0.0 before 1.0.3. | 2026-01-28 | not yet calculated | CVE-2025-13982 | https://www.drupal.org/sa-contrib-2025-120 |
| Drupal--Mini site | Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS. This issue affects Mini site: from 0.0.0 before 3.0.2. | 2026-01-28 | not yet calculated | CVE-2025-13979 | https://www.drupal.org/sa-contrib-2025-117 |
| Drupal--Next.js | Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS). This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. | 2026-01-28 | not yet calculated | CVE-2025-13984 | https://www.drupal.org/sa-contrib-2025-122 |
| Drupal--Tagify | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS). This issue affects Tagify: from 0.0.0 before 1.2.44. | 2026-01-28 | not yet calculated | CVE-2025-13983 | https://www.drupal.org/sa-contrib-2025-121 |
| Eclipse Foundation--Eclipse OMR | In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0. | 2026-01-29 | not yet calculated | CVE-2026-1188 | https://github.com/eclipse-omr/omr/pull/8082 |
| Eclipse Foundation--Eclipse ThreadX - NetX Duo | A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. | 2026-01-27 | not yet calculated | CVE-2025-55102 | https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf |
| Edgemo (Danoffice IT)--Local Admin Service | Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing client-side group membership restrictions. | 2026-01-30 | not yet calculated | CVE-2026-1680 | https://retest.dk/local-privilege-escalation-vulnerability-found-in-local-admin-service/ https://www.danofficeit.com/howwedoit/workplace/management/ |
| EGroupware--egroupware | EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability. | 2026-01-28 | not yet calculated | CVE-2026-22243 | https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113 https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113 |
| ESET, spol. s.r.o--ESET Inspect Connector | Planting a custom configuration file in ESET Inspect Connector allow load a malicious DLL. | 2026-01-30 | not yet calculated | CVE-2025-13176 | https://support.eset.com/en/ca8910-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-inspect-connector-for-windows |
| eslint--eslint | Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow. | 2026-01-26 | not yet calculated | CVE-2025-50537 | https://github.com/eslint/eslint/issues/19646 https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc |
| Explorance--Blue | Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk. | 2026-01-28 | not yet calculated | CVE-2025-57792 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57792 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0001.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. The issue is exploitable without authentication, significantly elevating the risk. | 2026-01-28 | not yet calculated | CVE-2025-57793 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57793 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0002.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations. | 2026-01-28 | not yet calculated | CVE-2025-57794 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57794 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0003.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution. | 2026-01-28 | not yet calculated | CVE-2025-57795 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57795 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0004.md |
| Explorance--Blue | Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained. | 2026-01-28 | not yet calculated | CVE-2025-57796 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57796 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0005.md |
| ExpressionEngine--ExpressionEngine | SQL Injection vulnerability in the Structure for Admin authenticated user | 2026-01-26 | not yet calculated | CVE-2025-59473 | https://hackerone.com/reports/3249794 |
| EZCast--EZCast Pro II | Multiple Buffer Overflows in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to cause a program crash and potential remote code execution | 2026-01-27 | not yet calculated | CVE-2026-24344 | https://hub.ntc.swiss/ntcf-2025-68873 |
| EZCast--EZCast Pro II | Cross-Site Request Forgery in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | 2026-01-27 | not yet calculated | CVE-2026-24345 | https://hub.ntc.swiss/ntcf-2025-32832 |
| EZCast--EZCast Pro II | Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application | 2026-01-27 | not yet calculated | CVE-2026-24346 | https://hub.ntc.swiss/ntcf-2025-13993 |
| EZCast--EZCast Pro II | Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory | 2026-01-27 | not yet calculated | CVE-2026-24347 | https://hub.ntc.swiss/ntcf-2025-32806 |
| EZCast--EZCast Pro II | Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users. | 2026-01-27 | not yet calculated | CVE-2026-24348 | https://hub.ntc.swiss/ntcf-2025-145332 |
| FASTSHIFT--X-TRACK | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in FASTSHIFT X-TRACK (Software/X-Track/USER/App/Utils/lv_img_png/PNGdec/src modules). This vulnerability is associated with program files inflate.C. This issue affects X-TRACK: through v2.7. | 2026-01-27 | not yet calculated | CVE-2026-24823 | https://github.com/FASTSHIFT/X-TRACK/pull/120 |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'cpassword' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59891 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via '/delete_command?sid=', using the 'cid' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59892 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to rename commands via '/rename_command?sid=', affecting the 'command_name' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59893 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete all commands via '/delete_all_commands?sid='. | 2026-01-28 | not yet calculated | CVE-2025-59894 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually. | 2026-01-28 | not yet calculated | CVE-2025-59895 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_command?sid=', affecting the 'command_name' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59896 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/edit_command?sid=', affecting the 'source_dir' and 'dest_dir' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59897 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_exclude_dir?sid=', affecting the 'exclude_dir' parameter. | 2026-01-28 | not yet calculated | CVE-2025-59898 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59899 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters. | 2026-01-28 | not yet calculated | CVE-2025-59900 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense--Sync Breeze Enterprise Server | Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session. | 2026-01-28 | not yet calculated | CVE-2025-59901 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| FluentCMS--FluentCMS | FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL. | 2026-01-29 | not yet calculated | CVE-2025-15549 | GitHub Issue #2404 VulnCheck Advisory: FluentCMS 2026 Stored XSS via SVG Upload in File Management |
| foxinmy--weixin4j | Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java. This issue affects weixin4j. | 2026-01-27 | not yet calculated | CVE-2026-24819 | https://github.com/foxinmy/weixin4j/pull/229 |
| FUJIFILM Business Innovation Corp.--beat-access for Windows | beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges. | 2026-01-27 | not yet calculated | CVE-2026-21408 | https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html https://jvn.jp/en/jp/JVN03776126/ |
| Funambol--Cloud Server | Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate 'self-signed' access URLs. | 2026-01-28 | not yet calculated | CVE-2025-41351 | https://www.incibe.es/en/incibe-cert/notices/aviso/weak-encryption-funambols-cloud-server |
| FunJSO--FunJSO | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. | 2026-01-28 | not yet calculated | CVE-2022-40619 | https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities |
| FunJSO--FunJSO | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker (suitably positioned on the network) could intercept the update request and deliver a malicious update package in order to gain arbitrary code execution on affected devices. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. | 2026-01-28 | not yet calculated | CVE-2022-40620 | https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities |
| GaijinEntertainment--DagorEngine | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GaijinEntertainment DagorEngine (prog/3rdPartyLibs/miniupnpc modules). This vulnerability is associated with program files upnpreplyparse.C. This issue affects DagorEngine: through dagor_2025_01_15. | 2026-01-27 | not yet calculated | CVE-2026-24798 | https://github.com/GaijinEntertainment/DagorEngine/pull/136 |
| geopandas--geopandas | SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. | 2026-01-30 | not yet calculated | CVE-2025-69662 | https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/ https://github.com/geopandas/geopandas/pull/3681 |
| gmrtd--gmrtd | gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue. | 2026-01-27 | not yet calculated | CVE-2026-24738 | https://github.com/gmrtd/gmrtd/security/advisories/GHSA-j49h-6577-5xwq https://github.com/gmrtd/gmrtd/commit/54469a95e5a20a8602ac1457b2110bfeb80c8891 https://github.com/gmrtd/gmrtd/releases/tag/v0.17.2 |
| Go standard library--archive/zip | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | 2026-01-28 | not yet calculated | CVE-2025-61728 | https://go.dev/cl/736713 https://go.dev/issue/77102 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4342 |
| Go standard library--crypto/tls | During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. | 2026-01-28 | not yet calculated | CVE-2025-61730 | https://go.dev/cl/724120 https://go.dev/issue/76443 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4340 |
| Go standard library--net/url | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. | 2026-01-28 | not yet calculated | CVE-2025-61726 | https://go.dev/cl/736712 https://go.dev/issue/77101 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4341 |
| Go toolchain--cmd/go | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. | 2026-01-28 | not yet calculated | CVE-2025-61731 | https://go.dev/cl/736711 https://go.dev/issue/77100 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4339 |
| Go toolchain--cmd/go | Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. | 2026-01-28 | not yet calculated | CVE-2025-68119 | https://go.dev/cl/736710 https://go.dev/issue/77099 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4338 |
| Google--Chrome | Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-01-27 | not yet calculated | CVE-2026-1504 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html https://issues.chromium.org/issues/474435504 |
| gradle--gradle-completion | gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The `gradle-completion` script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing `gradle-completion` from `.bashrc` or `.bash_profile`. | 2026-01-29 | not yet calculated | CVE-2026-25063 | https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv https://github.com/gradle/gradle-completion/commit/ecacc32bb882210e5d37cd79a74de1af0d0ccad7 |
| Hiawatha--Hiawatha Web server | Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver. | 2026-01-26 | not yet calculated | CVE-2025-57783 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/http.c?ref_type=heads#L205 |
| Hiawatha--Hiawatha Web server | Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client. | 2026-01-26 | not yet calculated | CVE-2025-57784 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/tomahawk.c?ref_type=heads#L429 |
| Hiawatha--Hiawatha Web server | A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution. | 2026-01-26 | not yet calculated | CVE-2025-57785 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/xslt.c?ref_type=heads#L675 |
| Hitachi Energy--SuprOS | Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment. | 2026-01-28 | not yet calculated | CVE-2025-7740 | https://publisher.hitachienergy.com/preview?DocumentID=8DBD000223&LanguageCode=en&DocumentPartId=&Action=launch |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24473 | https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| iba Systems--ibaPDA | A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system. | 2026-01-27 | not yet calculated | CVE-2025-14988 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01 |
| Icinga--icinga-powershell-framework | The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows `certificate` directory grant every user read access, which results in the exposure of private key of the Icinga certificate for the given host. All installations are affected. Versions 1.13.4, 1.12.4, and 1.11.2 contains a patch. Please note that upgrading to a fixed version of Icinga for Windows will also automatically fix a similar issue present in Icinga 2, CVE-2026-24413. As a workaround, the permissions can be restricted manually by updating the ACL for the given folder `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` (and `C:\ProgramData\icinga2\var` to fix the issue for the Icinga 2 agent as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | 2026-01-29 | not yet calculated | CVE-2026-24414 | https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973 https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2 |
| Icinga--icinga2 | Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | 2026-01-29 | not yet calculated | CVE-2026-24413 | https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973 https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2 |
| inspektor-gadget--inspektor-gadget | Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file `inspektor-gadget/cmd/common/image/build.go`. The `Makefile.build` file is the Makefile template employed during the building process. This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile. Prior to version 0.48.1, this implementation is vulnerable to command injection: an attacker able to control values in the `buildOptions` structure would be able to execute arbitrary commands during the building process. An attacker able to exploit this vulnerability would be able to execute arbitrary command on the Linux host where the `ig` command is launched, if images are built with the `--local` flag or on the build container invoked by `ig`, if the `--local` flag is not provided. The `buildOptions` structure is extracted from the YAML gadget manifest passed to the `ig image build` command. Therefore, the attacker would need a way to control either the full `build.yml` file passed to the `ig image build` command, or one of its options. Typically, this could happen in a CI/CD scenario that builds untrusted gadgets to verify correctness. Version 0.48.1 fixes the issue. | 2026-01-29 | not yet calculated | CVE-2026-24905 | https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-79qw-g77v-2vfh https://github.com/inspektor-gadget/inspektor-gadget/commit/7c83ad84ff7a68565655253e2cf1c5d2da695c1a |
| Internet Information Co., Ltd--DreamMaker | A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication. | 2026-01-30 | not yet calculated | CVE-2026-24728 | https://zuso.ai/advisory/za-2026-01 |
| Internet Information Co., Ltd--DreamMaker | An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file. | 2026-01-30 | not yet calculated | CVE-2026-24729 | https://zuso.ai/advisory/za-2026-02 |
| jmlepisto--clatter | Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse. Affected default patterns include `noise_pqkk_psk0`, `noise_pqkn_psk0`, `noise_pqnk_psk0`, `noise_pqnn_psk0``, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties. The issue is fully patched and released in Clatter v2.2.0. The fixed version includes runtime checks to detect offending handshake patterns. As a workaround, avoid using offending `*_psk0` variants of post-quantum patterns. Review custom handshake patterns carefully. | 2026-01-27 | not yet calculated | CVE-2026-24785 | https://github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63x4 https://github.com/jmlepisto/clatter/commit/b65ae6e9b8019bed5407771e21f89ddff17c5a71 https://noiseprotocol.org/noise.html#validity-rule |
| Johnson Controls--iSTAR Configuration Utility (ICU) | Johnson Controls iSTAR Configuration Utility (ICU) has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility (ICU) version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool. | 2026-01-28 | not yet calculated | CVE-2025-26386 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04 |
| Johnson Controls--Metasys | Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior. | 2026-01-30 | not yet calculated | CVE-2025-26385 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| json--json | The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. | 2026-01-28 | not yet calculated | CVE-2025-61140 | https://github.com/dchester/jsonpath https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d |
| kata-containers--kata-containers | Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue. | 2026-01-29 | not yet calculated | CVE-2026-24054 | https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8-gg7w-3g5c https://github.com/kata-containers/kata-containers/commit/20ca4d2d79aa5bf63aa1254f08915da84f19e92a https://github.com/containerd/containerd/blob/d939b6af5f8536c2cae85e919e7c40070557df0e/plugins/snapshots/overlay/overlay.go#L564-L581 https://github.com/kata-containers/kata-containers/blob/a164693e1afead84cd01d5bc3575e2cbfe64ce35/src/runtime/virtcontainers/container.go#L1122-L1126 https://github.com/kata-containers/kata-containers/blob/c7d0c270ee7dfaa6d978e6e07b99dabdaf2b9fda/src/runtime/virtcontainers/container.go#L1616-L1623 |
| libpng--libpng | Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive | 2026-01-27 | not yet calculated | CVE-2025-28162 | https://github.com/pnggroup/libpng/issues/656 https://gist.github.com/kittener/fbfdb9b5610c6b3db0d5dea045a07c60 |
| libpng--libpng | Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function. | 2026-01-27 | not yet calculated | CVE-2025-28164 | https://github.com/pnggroup/libpng/issues/655 https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git... #1 ----------------------------- some-user-space-process/1251 is trying to lock: (&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter] other info that might help us debug this: context-{2:2} no locks held by some-user-space-process/.... stack backtrace: CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT Call trace: show_stack (C) dump_stack_lvl dump_stack __lock_acquire lock_acquire _raw_spin_lock_irqsave counter_push_event [counter] interrupt_cnt_isr [interrupt_cnt] __handle_irq_event_percpu handle_irq_event handle_simple_irq handle_irq_desc generic_handle_domain_irq gpio_irq_handler handle_irq_desc generic_handle_domain_irq gic_handle_irq call_on_irq_stack do_interrupt_handler el0_interrupt __el0_irq_handler_common el0t_64_irq_handler el0t_64_irq ... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an alternative to switching to raw_spinlock_t, because the latter would limit all potential nested locks to raw_spinlock_t only. | 2026-01-31 | not yet calculated | CVE-2025-71180 | https://git.kernel.org/stable/c/ef668c9a2261ec9287faba6e6ef05a98b391aa2b https://git.kernel.org/stable/c/51d2e5d6491447258cb39ff1deb93df15d3c23cb https://git.kernel.org/stable/c/1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c https://git.kernel.org/stable/c/49a66829dd3653695e60d7cae13521d131362fcd https://git.kernel.org/stable/c/425886b1f8304621b3f16632b274357067d5f13f https://git.kernel.org/stable/c/23f9485510c338476b9735d516c1d4aacb810d46 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: remove spin_lock() in rust_shrink_free_page() When forward-porting Rust Binder to 6.18, I neglected to take commit fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into account, and apparently I did not end up running the shrinker callback when I sanity tested the driver before submission. This leads to crashes like the following: ============================================ WARNING: possible recursive locking detected 6.18.0-mainline-maybe-dirty #1 Tainted: G IO -------------------------------------------- kswapd0/68 is trying to acquire lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230 but task is already holding lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&l->lock); lock(&l->lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kswapd0/68: #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160 #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 #2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230 To fix this, remove the spin_lock() call from rust_shrink_free_page(). | 2026-01-31 | not yet calculated | CVE-2025-71181 | https://git.kernel.org/stable/c/30a98c97f7874031f2e1de19c777ce011143cba4 https://git.kernel.org/stable/c/361e0ff456a8daf9753c18030533256e4133ce7a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER) has completed. Since j1939_cancel_active_session() is processed with the session list lock held, checking ndev->reg_state in j1939_session_activate() with the session list lock held can reliably close the race window. | 2026-01-31 | not yet calculated | CVE-2025-71182 | https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536 https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power failure. In some case that delete attempt fails when the target inode is a directory that contains a subvolume inside it, since the log replay code is not prepared to deal with directory entries that point to root items (only inode items). 1) We have directories "dir1" (inode A) and "dir2" (inode B) under the same parent directory; 2) We have a file (inode C) under directory "dir1" (inode A); 3) We have a subvolume inside directory "dir2" (inode B); 4) All these inodes were persisted in a past transaction and we are currently at transaction N; 5) We rename the file (inode C), so at btrfs_log_new_name() we update inode C's last_unlink_trans to N; 6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B), so after the exchange "dir1" is inode B and "dir2" is inode A. During the rename exchange we call btrfs_log_new_name() for inodes A and B, but because they are directories, we don't update their last_unlink_trans to N; 7) An fsync against the file (inode C) is done, and because its inode has a last_unlink_trans with a value of N we log its parent directory (inode A) (through btrfs_log_all_parents(), called from btrfs_log_inode_parent()). 8) So we end up with inode B not logged, which now has the old name of inode A. At copy_inode_items_to_log(), when logging inode A, we did not check if we had any conflicting inode to log because inode A has a generation lower than the current transaction (created in a past transaction); 9) After a power failure, when replaying the log tree, since we find that inode A has a new name that conflicts with the name of inode B in the fs tree, we attempt to delete inode B... this is wrong since that directory was never deleted before the power failure, and because there is a subvolume inside that directory, attempting to delete it will fail since replay_dir_deletes() and btrfs_unlink_inode() are not prepared to deal with dir items that point to roots instead of inodes. When that happens the mount fails and we get a stack trace like the following: [87.2314] BTRFS info (device dm-0): start tree-log replay [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 [87.2332] ------------[ cut here ]------------ [87.2338] BTRFS: Transaction aborted (error -2) [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2368] Modules linked in: btrfs loop dm_thin_pool (...) [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) [87.2489] Tainted: [W]=WARN [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2538] Code: c0 89 04 24 (...) [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 [87. ---truncated--- | 2026-01-31 | not yet calculated | CVE-2025-71183 | https://git.kernel.org/stable/c/c7f0207db68d5a1b4af23acbef1a8e8ddc431ebb https://git.kernel.org/stable/c/a63998cd6687c14b160dccb0bbcf281b2eb0dab3 https://git.kernel.org/stable/c/0c2413c69129f6ce60157f7b53d9ba880260400b https://git.kernel.org/stable/c/d52af58dd463821c5c516aebb031a58934f696ea https://git.kernel.org/stable/c/7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting the rootid to 0 at least gives us the possibility to trace this call even in the case when the root is NULL, so that's the solution taken here. | 2026-01-31 | not yet calculated | CVE-2025-71184 | https://git.kernel.org/stable/c/582ba48e4a4c06fef6bdcf4e57b7b9af660bbd0c https://git.kernel.org/stable/c/99e057f3d3ef24b99a7b1d84e01dd1bd890098da https://git.kernel.org/stable/c/f157dd661339fc6f5f2b574fe2429c43bd309534 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. | 2026-01-31 | not yet calculated | CVE-2025-71185 | https://git.kernel.org/stable/c/6fdf168f57e331e148a1177a9b590a845c21b315 https://git.kernel.org/stable/c/f810132e825588fbad3cba940458c58bb7ec4d84 https://git.kernel.org/stable/c/30352277d8e09c972436f883a5efd1f1b763ac14 https://git.kernel.org/stable/c/4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2026-01-31 | not yet calculated | CVE-2025-71186 | https://git.kernel.org/stable/c/1a179ac01ff3993ab97e33cc77c316ed7415cda1 https://git.kernel.org/stable/c/2fb10259d4efb4367787b5ae9c94192e8a91c648 https://git.kernel.org/stable/c/3ef52d31cce8ba816739085a61efe07b63c6cf27 https://git.kernel.org/stable/c/dd6e4943889fb354efa3f700e42739da9bddb6ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures (e.g. probe deferral). | 2026-01-31 | not yet calculated | CVE-2025-71187 | https://git.kernel.org/stable/c/926d1666420c227eab50962a8622c1b8444720e8 https://git.kernel.org/stable/c/9fb490323997dcb6f749cd2660a17a39854600cd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: lpc18xx-dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2026-01-31 | not yet calculated | CVE-2025-71188 | https://git.kernel.org/stable/c/9fba97baa520c9446df51a64708daf27c5a7ed32 https://git.kernel.org/stable/c/992eb8055a6e5dbb808672d20d68e60d5a89b12b https://git.kernel.org/stable/c/1e47d80f6720f0224efd19bcf081d39637569c10 https://git.kernel.org/stable/c/d4d63059dee7e7cae0c4d9a532ed558bc90efb55 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. | 2026-01-31 | not yet calculated | CVE-2025-71189 | https://git.kernel.org/stable/c/db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1 https://git.kernel.org/stable/c/8f7a391211381ed2f6802032c78c7820d166bc49 https://git.kernel.org/stable/c/eabe40f8a53c29f531e92778ea243e379f4f7978 https://git.kernel.org/stable/c/ec25e60f9f95464aa11411db31d0906b3fb7b9f2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. | 2026-01-31 | not yet calculated | CVE-2025-71190 | https://git.kernel.org/stable/c/c80ca7bdff158401440741bdcf9175bd8608580b https://git.kernel.org/stable/c/db6f1d6d31711e73e6a214c73e6a8fb4cda0483d https://git.kernel.org/stable/c/2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b https://git.kernel.org/stable/c/7c3a46ebf15a9796b763a54272407fdbf945bed8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()") fixed the leak in a couple of error paths but the reference is still leaking on successful allocation. | 2026-01-31 | not yet calculated | CVE-2025-71191 | https://git.kernel.org/stable/c/987c71671367f42460689b78244d7b894c50999a https://git.kernel.org/stable/c/6a86cf2c09e149d5718a5b7090545f7566da9334 https://git.kernel.org/stable/c/f3c23b7e941349505c3d40de2cc0acd93d9ac057 https://git.kernel.org/stable/c/b9074b2d7a230b6e28caa23165e9d8bc0677d333 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler. | 2026-01-28 | not yet calculated | CVE-2026-23014 | https://git.kernel.org/stable/c/deee9dfb111ab00f9dfd46c0c7e36656b80f5235 https://git.kernel.org/stable/c/ff5860f5088e9076ebcccf05a6ca709d5935cfa9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically. | 2026-01-31 | not yet calculated | CVE-2026-23015 | https://git.kernel.org/stable/c/7ea26e6dcabc270433b6ded2a1aee85b215d1b28 https://git.kernel.org/stable/c/1e876e5a0875e71e34148c9feb2eedd3bf6b2b43 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conntrack references Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging leaked skbs/conntrack references more obvious. syzbot reports this as triggering, and I can also reproduce this via ip_defrag.sh selftest: conntrack cleanup blocked for 60s WARNING: net/netfilter/nf_conntrack_core.c:2512 [..] conntrack clenups gets stuck because there are skbs with still hold nf_conn references via their frag_list. net.core.skb_defer_max=0 makes the hang disappear. Eric Dumazet points out that skb_release_head_state() doesn't follow the fraglist. ip_defrag.sh can only reproduce this problem since commit 6471658dc66c ("udp: use skb_attempt_defer_free()"), but AFAICS this problem could happen with TCP as well if pmtu discovery is off. The relevant problem path for udp is: 1. netns emits fragmented packets 2. nf_defrag_v6_hook reassembles them (in output hook) 3. reassembled skb is tracked (skb owns nf_conn reference) 4. ip6_output refragments 5. refragmented packets also own nf_conn reference (ip6_fragment calls ip6_copy_metadata()) 6. on input path, nf_defrag_v6_hook skips defragmentation: the fragments already have skb->nf_conn attached 7. skbs are reassembled via ipv6_frag_rcv() 8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up in pcpu freelist, but still has nf_conn reference. Possible solutions: 1 let defrag engine drop nf_conn entry, OR 2 export kick_defer_list_purge() and call it from the conntrack netns exit callback, OR 3 add skb_has_frag_list() check to skb_attempt_defer_free() 2 & 3 also solve ip_defrag.sh hang but share same drawback: Such reassembled skbs, queued to socket, can prevent conntrack module removal until userspace has consumed the packet. While both tcp and udp stack do call nf_reset_ct() before placing skb on socket queue, that function doesn't iterate frag_list skbs. Therefore drop nf_conn entries when they are placed in defrag queue. Keep the nf_conn entry of the first (offset 0) skb so that reassembled skb retains nf_conn entry for sake of TX path. Note that fixes tag is incorrect; it points to the commit introducing the 'ip_defrag.sh reproducible problem': no need to backport this patch to every stable kernel. | 2026-01-31 | not yet calculated | CVE-2026-23016 | https://git.kernel.org/stable/c/088ca99dbb039c444c3ff987c5412a73f4f0cbf8 https://git.kernel.org/stable/c/2ef02ac38d3c17f34a00c4b267d961a8d4b45d1a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized resources. Following trace is from an error in the init_task where the CREATE_VPORT (op 501) is rejected by the FW: [40922.763136] idpf 0000:83:00.0: Device HW Reset initiated [40924.449797] idpf 0000:83:00.0: Transaction failed (op 501) [40958.148190] idpf 0000:83:00.0: HW reset detected [40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8 ... [40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf] [40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf] ... [40958.177932] Call Trace: [40958.178491] <TASK> [40958.179040] process_one_work+0x226/0x6d0 [40958.179609] worker_thread+0x19e/0x340 [40958.180158] ? __pfx_worker_thread+0x10/0x10 [40958.180702] kthread+0x10f/0x250 [40958.181238] ? __pfx_kthread+0x10/0x10 [40958.181774] ret_from_fork+0x251/0x2b0 [40958.182307] ? __pfx_kthread+0x10/0x10 [40958.182834] ret_from_fork_asm+0x1a/0x30 [40958.183370] </TASK> Fix the error handling in the init_task to make sure the service and mailbox tasks are disabled if the error happens during load. These are started in idpf_vc_core_init(), which spawns the init_task and has no way of knowing if it failed. If the error happens on reset, following successful driver load, the tasks can still run, as that will allow the netdevs to attempt recovery through another reset. Stop the PTP callbacks either way as those will be restarted by the call to idpf_vc_core_init() during a successful reset. | 2026-01-31 | not yet calculated | CVE-2026-23017 | https://git.kernel.org/stable/c/a514c374edcd33581cdcccf8faa7cc606a600319 https://git.kernel.org/stable/c/4d792219fe6f891b5b557a607ac8a0a14eda6e38 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before initializing extent tree in btrfs_read_locked_inode() In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree() while holding a path with a read locked leaf from a subvolume tree, and btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can trigger reclaim. This can create a circular lock dependency which lockdep warns about with the following splat: [6.1433] ====================================================== [6.1574] WARNING: possible circular locking dependency detected [6.1583] 6.18.0+ #4 Tainted: G U [6.1591] ------------------------------------------------------ [6.1599] kswapd0/117 is trying to acquire lock: [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1625] but task is already holding lock: [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60 [6.1646] which lock already depends on the new lock. [6.1657] the existing dependency chain (in reverse order) is: [6.1667] -> #2 (fs_reclaim){+.+.}-{0:0}: [6.1677] fs_reclaim_acquire+0x9d/0xd0 [6.1685] __kmalloc_cache_noprof+0x59/0x750 [6.1694] btrfs_init_file_extent_tree+0x90/0x100 [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 [6.1710] btrfs_iget+0xbb/0xf0 [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 [6.1724] btrfs_lookup+0x12/0x30 [6.1731] lookup_open.isra.0+0x1aa/0x6a0 [6.1739] path_openat+0x5f7/0xc60 [6.1746] do_filp_open+0xd6/0x180 [6.1753] do_sys_openat2+0x8b/0xe0 [6.1760] __x64_sys_openat+0x54/0xa0 [6.1768] do_syscall_64+0x97/0x3e0 [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1784] -> #1 (btrfs-tree-00){++++}-{3:3}: [6.1794] lock_release+0x127/0x2a0 [6.1801] up_read+0x1b/0x30 [6.1808] btrfs_search_slot+0x8e0/0xff0 [6.1817] btrfs_lookup_inode+0x52/0xd0 [6.1825] __btrfs_update_delayed_inode+0x73/0x520 [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 [6.1842] btrfs_log_inode+0x608/0x1aa0 [6.1849] btrfs_log_inode_parent+0x249/0xf80 [6.1857] btrfs_log_dentry_safe+0x3e/0x60 [6.1865] btrfs_sync_file+0x431/0x690 [6.1872] do_fsync+0x39/0x80 [6.1879] __x64_sys_fsync+0x13/0x20 [6.1887] do_syscall_64+0x97/0x3e0 [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1903] -> #0 (&delayed_node->mutex){+.+.}-{3:3}: [6.1913] __lock_acquire+0x15e9/0x2820 [6.1920] lock_acquire+0xc9/0x2d0 [6.1927] __mutex_lock+0xcc/0x10a0 [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1944] btrfs_evict_inode+0x20b/0x4b0 [6.1952] evict+0x15a/0x2f0 [6.1958] prune_icache_sb+0x91/0xd0 [6.1966] super_cache_scan+0x150/0x1d0 [6.1974] do_shrink_slab+0x155/0x6f0 [6.1981] shrink_slab+0x48e/0x890 [6.1988] shrink_one+0x11a/0x1f0 [6.1995] shrink_node+0xbfd/0x1320 [6.1002] balance_pgdat+0x67f/0xc60 [6.1321] kswapd+0x1dc/0x3e0 [6.1643] kthread+0xff/0x240 [6.1965] ret_from_fork+0x223/0x280 [6.1287] ret_from_fork_asm+0x1a/0x30 [6.1616] other info that might help us debug this: [6.1561] Chain exists of: &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim [6.1503] Possible unsafe locking scenario: [6.1110] CPU0 CPU1 [6.1411] ---- ---- [6.1707] lock(fs_reclaim); [6.1998] lock(btrfs-tree-00); [6.1291] lock(fs_reclaim); [6.1581] lock(&del ---truncated--- | 2026-01-31 | not yet calculated | CVE-2026-23018 | https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NULL dereference on devlink_alloc() failure devlink_alloc() may return NULL on allocation failure, but prestera_devlink_alloc() unconditionally calls devlink_priv() on the returned pointer. This leads to a NULL pointer dereference if devlink allocation fails. Add a check for a NULL devlink pointer and return NULL early to avoid the crash. | 2026-01-31 | not yet calculated | CVE-2026-23019 | https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0 https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2 https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064 https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev. | 2026-01-31 | not yet calculated | CVE-2026-23020 | https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1 https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7 https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. | 2026-01-31 | not yet calculated | CVE-2026-23021 | https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452 https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6 https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34 https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01 https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vc_core_deinit() Make sure to free hw->lan_regs. Reported by kmemleak during reset: unreferenced object 0xff1b913d02a936c0 (size 96): comm "kworker/u258:14", pid 2174, jiffies 4294958305 hex dump (first 32 bytes): 00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-......... 00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-. backtrace (crc 36063c4f): __kmalloc_noprof+0x48f/0x890 idpf_vc_core_init+0x6ce/0x9b0 [idpf] idpf_vc_event_task+0x1fb/0x350 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 | 2026-01-31 | not yet calculated | CVE-2026-23022 | https://git.kernel.org/stable/c/23391db8a00c23854915b8b72ec1aa10080aa540 https://git.kernel.org/stable/c/e111cbc4adf9f9974eed040aeece7e17460f6bff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vport_rel() Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory during a reset. Reported by kmemleak: unreferenced object 0xff450acac838a000 (size 4096): comm "kworker/u258:5", pid 7732, jiffies 4296830044 hex dump (first 32 bytes): 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................ backtrace (crc 3da81902): __kmalloc_cache_noprof+0x469/0x7a0 idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf] idpf_init_task+0x1ec/0x8d0 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 | 2026-01-31 | not yet calculated | CVE-2026-23023 | https://git.kernel.org/stable/c/a4212d6732e3f674c6cc7d0b642f276d827e8f94 https://git.kernel.org/stable/c/ec602a2a4071eb956d656ba968c58fee09f0622d https://git.kernel.org/stable/c/f6242b354605faff263ca45882b148200915a3f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow steer list on rmmod The flow steering list maintains entries that are added and removed as ethtool creates and deletes flow steering rules. Module removal with active entries causes memory leak as the list is not properly cleaned up. Prevent this by iterating through the remaining entries in the list and freeing the associated memory during module removal. Add a spinlock (flow_steer_list_lock) to protect the list access from multiple threads. | 2026-01-31 | not yet calculated | CVE-2026-23024 | https://git.kernel.org/stable/c/1aedff70a5e97628eaaf17b169774cb6a45a1dc5 https://git.kernel.org/stable/c/f9841bd28b600526ca4f6713b0ca49bf7bb98452 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: prevent pcp corruption with SMP=n The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it's normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 574907741599 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] | 2026-01-31 | not yet calculated | CVE-2026-23025 | https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6 https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8 https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review. | 2026-01-31 | not yet calculated | CVE-2026-23026 | https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8 https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85 https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_pch_pic_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23027 | https://git.kernel.org/stable/c/fc53a66227af08d868face4b33fa8b2e1ba187ed https://git.kernel.org/stable/c/1cf342a7c3adc5877837b53bbceb5cc9eff60bbf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_ipi_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23028 | https://git.kernel.org/stable/c/5defcc2f9c22e6e09b5be68234ad10f4ba0292b7 https://git.kernel.org/stable/c/0bf58cb7288a4d3de6d8ecbb3a65928a9362bf21 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_eiointc_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23029 | https://git.kernel.org/stable/c/e94ec9661c5820d157d2cc4b6cf4a6ab656a7b4d https://git.kernel.org/stable/c/7d8553fc75aefa7ec936af0cf8443ff90b51732e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate of_node_put(). | 2026-01-31 | not yet calculated | CVE-2026-23030 | https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5 https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are freed by calling usb_kill_anchored_urbs(parent->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in gs_can_close(). Fix the memory leak by anchoring the URB in the gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor. | 2026-01-31 | not yet calculated | CVE-2026-23031 | https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7 https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9 https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7 https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: null_blk: fix kmemleak by releasing references to fault configfs items When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk driver sets up fault injection support by creating the timeout_inject, requeue_inject, and init_hctx_fault_inject configfs items as children of the top-level nullbX configfs group. However, when the nullbX device is removed, the references taken to these fault-config configfs items are not released. As a result, kmemleak reports a memory leak, for example: unreferenced object 0xc00000021ff25c40 (size 32): comm "mkdir", pid 10665, jiffies 4322121578 hex dump (first 32 bytes): 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_ 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject.......... backtrace (crc 1a018c86): __kmalloc_node_track_caller_noprof+0x494/0xbd8 kvasprintf+0x74/0xf4 config_item_set_name+0xf0/0x104 config_group_init_type_name+0x48/0xfc fault_config_init+0x48/0xf0 0xc0080000180559e4 configfs_mkdir+0x304/0x814 vfs_mkdir+0x49c/0x604 do_mkdirat+0x314/0x3d0 sys_mkdir+0xa0/0xd8 system_call_exception+0x1b0/0x4f0 system_call_vectored_common+0x15c/0x2ec Fix this by explicitly releasing the references to the fault-config configfs items when dropping the reference to the top-level nullbX configfs group. | 2026-01-31 | not yet calculated | CVE-2026-23032 | https://git.kernel.org/stable/c/1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2 https://git.kernel.org/stable/c/d59ba448ccd595d5d65e197216cf781a87db2b28 https://git.kernel.org/stable/c/f1718da051282698aa8fa150bebb9724f6389fda https://git.kernel.org/stable/c/40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool resource leak in error paths The dma_pool created by dma_pool_create() is not destroyed when dma_async_device_register() or of_dma_controller_register() fails, causing a resource leak in the probe error paths. Add dma_pool_destroy() in both error paths to properly release the allocated dma_pool resource. | 2026-01-31 | not yet calculated | CVE-2026-23033 | https://git.kernel.org/stable/c/88a9483f093bbb9263dcf21bc7fdb5132e5de88d https://git.kernel.org/stable/c/4b93712e96be17029bd22787f2e39feb0e73272c https://git.kernel.org/stable/c/829b00481734dd54e72f755fd6584bce6fbffbb0 https://git.kernel.org/stable/c/2e1136acf8a8887c29f52e35a77b537309af321f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference. Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers This is visible during driver unload as: BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free(). This makes sure the fence reference is released and the slab cache is empty when the module exits. v2: Update to only release userq->last_fence with dma_fence_put() (Christian) (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb) | 2026-01-31 | not yet calculated | CVE-2026-23034 | https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175 https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 | 2026-01-31 | not yet calculated | CVE-2026-23035 | https://git.kernel.org/stable/c/a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02 https://git.kernel.org/stable/c/66a25f6b7c0bfd84e6d27b536f5d24116dbd52da https://git.kernel.org/stable/c/4ef8512e1427111f7ba92b4a847d181ff0aeec42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before iget_failed() in btrfs_read_locked_inode() In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to the 'out' label with a path that has a read locked leaf and then we call iget_failed(). This can result in a ABBA deadlock, since iget_failed() triggers inode eviction and that causes the release of the delayed inode, which must lock the delayed inode's mutex, and a task updating a delayed inode starts by taking the node's mutex and then modifying the inode's subvolume btree. Syzbot reported the following lockdep splat for this: ====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ btrfs-cleaner/8725 is trying to acquire lock: ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 but task is already holding lock: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{4:4}: __lock_release kernel/locking/lockdep.c:5574 [inline] lock_release+0x198/0x39c kernel/locking/lockdep.c:5889 up_read+0x24/0x3c kernel/locking/rwsem.c:1632 btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169 btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline] btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133 btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395 __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline] __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828 do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158 btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226 process_one_work+0x7e8/0x155c kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3427 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 -> #0 (&delayed_node->mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 __mutex_lock kernel/locking/mutex.c:760 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline] btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 evict+0x414/0x928 fs/inode.c:810 iput_final fs/inode.c:1914 [inline] iput+0x95c/0xad4 fs/inode.c:1966 iget_failed+0xec/0x134 fs/bad_inode.c:248 btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline] btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf ---truncated--- | 2026-01-31 | not yet calculated | CVE-2026-23036 | https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827 https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefore, partial allocation should not be treated as a fatal error. Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, restoring the intended behavior and preventing the leak in es58x_open(). | 2026-01-31 | not yet calculated | CVE-2026-23037 | https://git.kernel.org/stable/c/611e839d2d552416b498ed5593e10670f61fcd4d https://git.kernel.org/stable/c/ba45e3d6b02c97dbb4578fbae7027fd66f3caa10 https://git.kernel.org/stable/c/6c5124a60989051799037834f0a1a4b428718157 https://git.kernel.org/stable/c/b1979778e98569c1e78c2c7f16bb24d76541ab00 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. | 2026-01-31 | not yet calculated | CVE-2026-23038 | https://git.kernel.org/stable/c/869862056e100973e76ce9f5f1b01837771b7722 https://git.kernel.org/stable/c/86da7efd12295a7e2b4abde5e5984c821edd938f https://git.kernel.org/stable/c/ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb https://git.kernel.org/stable/c/0c728083654f0066f5e10a1d2b0bd0907af19a58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences. | 2026-01-31 | not yet calculated | CVE-2026-23039 | https://git.kernel.org/stable/c/a255ec07f91d4c73a361a28b7a3d82f5710245f1 https://git.kernel.org/stable/c/dc2d5ddb193e363187bae2ad358245642d2721fb |
| liuyueyi--quick-media | Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java. This issue affects quick-media: before v1.0. | 2026-01-27 | not yet calculated | CVE-2026-24806 | https://github.com/liuyueyi/quick-media/pull/122 |
| liuyueyi--quick-media | Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java. This issue affects quick-media: before v1.0. | 2026-01-27 | not yet calculated | CVE-2026-24807 | https://github.com/liuyueyi/quick-media/pull/123 |
| LiveHelperChat--LiveHelperChat | Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload, which will be executed in the user's context when they download and open the file via the link generated by the application. The vulnerability allows arbitrary JavaScript code to be executed in the user's local context. | 2026-01-28 | not yet calculated | CVE-2026-0483 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-vulnerability-livehelperchat |
| lobehub--lobe-chat | LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue. | 2026-01-30 | not yet calculated | CVE-2026-23835 | https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5 |
| Meta--react-server-dom-webpack | Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components. | 2026-01-26 | not yet calculated | CVE-2026-23864 | https://www.facebook.com/security/advisories/cve-2026-23864 |
| Micron Technology, Inc.--Crucial Storage Executive | Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code execution with administrator privileges. | 2026-01-26 | not yet calculated | CVE-2025-71178 | https://eu.crucial.com/support/storage-executive https://www.vulncheck.com/advisories/crucial-storage-executive-installer-dll-preloading-lpe |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue. | 2026-01-26 | not yet calculated | CVE-2026-24477 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf |
| monkey--monkey | An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63649 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63650 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63651 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63652 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63653 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63655 | https://github.com/monkey/monkey/issues/427 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63656 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63657 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey--monkey | A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63658 | https://github.com/monkey/monkey/issues/427 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| Mozilla--Firefox | Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24868 | https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 https://www.mozilla.org/security/advisories/mfsa2026-06/ |
| Mozilla--Firefox | Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability affects Firefox < 147.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24869 | https://bugzilla.mozilla.org/show_bug.cgi?id=2008698 https://www.mozilla.org/security/advisories/mfsa2026-06/ |
| Mozilla--Thunderbird | When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1. | 2026-01-28 | not yet calculated | CVE-2026-0818 | https://bugzilla.mozilla.org/show_bug.cgi?id=1881530 https://www.mozilla.org/security/advisories/mfsa2026-07/ https://www.mozilla.org/security/advisories/mfsa2026-08/ |
| MuntashirAkon--AppManager | Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java. This issue affects AppManager: before 4.0.4. | 2026-01-27 | not yet calculated | CVE-2026-1464 | https://github.com/MuntashirAkon/AppManager/pull/1598 |
| N3uron--N3uron | An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format | 2026-01-29 | not yet calculated | CVE-2025-69929 | http://n3uron.com https://www.linkedin.com/in/joselabreu https://gist.github.com/JoseAbreu28/67f5d8bfc7ba1def526efeda5771a244 |
| NAVER--billboard.js | billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. | 2026-01-28 | not yet calculated | CVE-2026-1513 | https://cve.naver.com/detail/cve-2026-1513.html |
| neka-nat--cupoch | Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C. This issue affects cupoch. | 2026-01-27 | not yet calculated | CVE-2026-24797 | https://github.com/neka-nat/cupoch/pull/138 |
| NETGEAR--NETGEAR products | Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box. | 2026-01-30 | not yet calculated | CVE-2026-24714 | https://www.netgear.com/about/eos/ https://jvn.jp/en/jp/JVN46722282/ |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB's login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination's origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login. This vulnerability enables phishing attacks by leveraging user trust in the legitimate NocoDB login flow. While it does not directly expose credentials or bypass authentication, it increases the likelihood of credential theft through social engineering. The issue does not allow arbitrary code execution or privilege escalation, but it undermines authentication integrity. Version 0.301.0 fixes the issue. | 2026-01-28 | not yet calculated | CVE-2026-24768 | https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj |
| nocodb--nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB's attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application's origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue. | 2026-01-28 | not yet calculated | CVE-2026-24769 | https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr |
| Node.js--Node.js | The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. | 2026-01-28 | not yet calculated | CVE-2025-57283 | https://www.npmjs.com https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1 |
| nvm-sh--nvm | A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'. | 2026-01-29 | not yet calculated | CVE-2026-1665 | Fix commit Release v0.40.4 nvm GitHub repository https://github.com/nvm-sh/nvm/pull/3380 |
| OctoPrint--OctoPrint | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet. | 2026-01-27 | not yet calculated | CVE-2026-23892 | https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xg4x-w2j3-57h6 https://github.com/OctoPrint/OctoPrint/commit/249fd80ab01bc4b7dabedff768230a0fb5d01a8c https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.6 |
| OneFlow--OneFlow | A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes. | 2026-01-28 | not yet calculated | CVE-2025-65886 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10666 |
| OneFlow--OneFlow | A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero. | 2026-01-28 | not yet calculated | CVE-2025-65887 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10665 |
| OneFlow--OneFlow | A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value. | 2026-01-28 | not yet calculated | CVE-2025-65888 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10664 |
| OneFlow--OneFlow | A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-65889 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10663 |
| OneFlow--OneFlow | A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index. | 2026-01-28 | not yet calculated | CVE-2025-65890 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10662 |
| OneFlow--OneFlow | A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index. | 2026-01-28 | not yet calculated | CVE-2025-65891 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10661 |
| OneFlow--OneFlow | A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID. | 2026-01-28 | not yet calculated | CVE-2025-70999 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10660 |
| OneFlow--OneFlow | An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71000 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10659 |
| OneFlow--OneFlow | A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71001 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10658 |
| OneFlow--OneFlow | A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71002 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10657 |
| OneFlow--OneFlow | An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71003 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10656 |
| OneFlow--OneFlow | A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71004 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10655 |
| OneFlow--OneFlow | A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71005 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10654 |
| OneFlow--OneFlow | A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71006 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10653 |
| OneFlow--OneFlow | An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71007 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10652 |
| OneFlow--OneFlow | A segmentation violation in the oneflow._oneflow_internal.autograd.Function.FunctionCtx.mark_non_differentiable component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-29 | not yet calculated | CVE-2025-71008 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10651 |
| OneFlow--OneFlow | An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. | 2026-01-29 | not yet calculated | CVE-2025-71009 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10649 |
| OneFlow--OneFlow | An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-29 | not yet calculated | CVE-2025-71011 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10648 |
| openemr--openemr | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue. | 2026-01-27 | not yet calculated | CVE-2025-54373 | https://github.com/openemr/openemr/security/advisories/GHSA-739g-6m63-p7fr https://github.com/openemr/openemr/commit/aef3d1c85d9ff2f28d3d361d2818aee79b6dcd33 |
| OpenSSL--OpenSSL | Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12. | 2026-01-27 | not yet calculated | CVE-2025-11187 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit |
| OpenSSL--OpenSSL | Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15467 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15468 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit |
| OpenSSL--OpenSSL | Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15469 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit |
| OpenSSL--OpenSSL | Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-66199 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit |
| OpenSSL--OpenSSL | Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2025-68160 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69418 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69419 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69420 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2025-69421 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2026-22795 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL--OpenSSL | Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2026-22796 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenText--Vertica | Cleartext Storage of Sensitive Information vulnerability in OpenTextâ„¢ Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey. This issue affects Vertica versions: 23.X, 24.X, 25.X. | 2026-01-30 | not yet calculated | CVE-2024-9432 | https://portal.microfocus.com/s/article/KM000044937?language=en_US |
| OpenVPN--OpenVPN | Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service | 2026-01-30 | not yet calculated | CVE-2025-15497 | https://community.openvpn.net/Security%20Announcements/CVE-2025-15497 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00156.html |
| opf--openproject | OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject's repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6. | 2026-01-28 | not yet calculated | CVE-2026-24685 | https://github.com/opf/openproject/security/advisories/GHSA-74p5-9pr3-r6pw |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix. | 2026-01-30 | not yet calculated | CVE-2026-25141 | https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227 https://github.com/orval-labs/orval/releases/tag/v7.21.0 https://github.com/orval-labs/orval/releases/tag/v8.2.0 |
| Phala-Network--dcap-qvl | dcap-qvl implements the quote verification logic for DCAP (Data Center Attestation Primitives). A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral (including qe_identity, qe_identity_signature, and qe_identity_issuer_chain) from the PCCS. However, it skips to verify the QE Identity signature against its certificate chain and does not enforce policy constraints on the QE Report. An attacker can forge the QE Identity data to whitelist a malicious or non-Intel Quoting Enclave. This allows the attacker to forge the QE and sign untrusted quotes that the verifier will accept as valid. Effectively, this bypasses the entire remote attestation security model, as the verifier can no longer trust the entity responsible for signing the quotes. All deployments utilizing the dcap-qvl library for SGX or TDX quote verification are affected. The vulnerability has been patched in dcap-qvl version 0.3.9. The fix implements the missing cryptographic verification for the QE Identity signature and enforces the required checks for MRSIGNER, ISVPRODID, and ISVSVN against the QE Report. Users of the `@phala/dcap-qvl-node` and `@phala/dcap-qvl-web` packages should switch to the pure JavaScript implementation, `@phala/dcap-qvl`. There are no known workarounds for this vulnerability. Users must upgrade to the patched version to ensure that QE Identity collateral is properly verified. | 2026-01-26 | not yet calculated | CVE-2026-22696 | https://github.com/Phala-Network/dcap-qvl/security/advisories/GHSA-796p-j2gh-9m2q |
| pilgrimage233--Minecraft-Rcon-Manage | Improper Control of Generation of Code ('Code Injection') vulnerability in pilgrimage233 Minecraft-Rcon-Manage. This issue affects Minecraft-Rcon-Manage: before 3.0. | 2026-01-27 | not yet calculated | CVE-2026-24871 | https://github.com/pilgrimage233/Minecraft-Rcon-Manage/pull/13 |
| Pix-Link--LV-WR21Q | Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-27 | not yet calculated | CVE-2025-12386 | https://cert.pl/en/posts/2026/01/CVE-2025-12386 https://www.pix-link.com/lv-wr21q https://github.com/wcyb/security_research |
| Pix-Link--LV-WR21Q | A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-27 | not yet calculated | CVE-2025-12387 | https://cert.pl/en/posts/2026/01/CVE-2025-12386 https://www.pix-link.com/lv-wr21q https://github.com/wcyb/security_research |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch. | 2026-01-26 | not yet calculated | CVE-2026-24056 | https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f https://github.com/pnpm/pnpm/releases/tag/v10.28.2 |
| pnpm--pnpm | pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch. | 2026-01-26 | not yet calculated | CVE-2026-24131 | https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943 https://github.com/pnpm/pnpm/releases/tag/v10.28.2 |
| PodcastGenerator--PodcastGenerator | A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. The saved payload gets executed on 'View All Live Items' and 'Live Stream' pages. | 2026-01-28 | not yet calculated | CVE-2025-70336 | https://github.com/PodcastGenerator/PodcastGenerator https://github.com/aryasahil96-manu/CVE-Disclosures/blob/main/CVE-2025-70336 |
| podman-desktop--podman-desktop | Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue. | 2026-01-28 | not yet calculated | CVE-2026-24835 | https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-v3fx-qg34-6g9m https://drive.google.com/file/d/1ib4RG34mGHDlXeyib8L2j9L5rEDxuDM5/view?usp=sharing |
| praydog--REFramework | An issue from the component luaG_runerror in dependencies/lua/src/ldebug.c in praydog/REFramework version before 1.5.5 leads to a heap-buffer overflow when a recursive error occurs. | 2026-01-27 | not yet calculated | CVE-2026-24809 | https://github.com/praydog/REFramework/pull/1320 |
| praydog--UEVR | Out-of-bounds Write vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C. This issue affects UEVR: before 1.05. | 2026-01-27 | not yet calculated | CVE-2026-24817 | https://github.com/praydog/UEVR/pull/336 |
| praydog--UEVR | Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects UEVR: before 1.05. | 2026-01-27 | not yet calculated | CVE-2026-24818 | https://github.com/praydog/UEVR/pull/337 |
| Progress Software--Chef Inspec | Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23. | 2026-01-30 | not yet calculated | CVE-2025-6723 | https://docs.chef.io/inspec/ |
| pwncollege--dojo | pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue. | 2026-01-29 | not yet calculated | CVE-2026-25117 | https://github.com/pwncollege/dojo/security/advisories/GHSA-wvcf-9xm8-7mrg https://github.com/pwncollege/dojo/commit/e33da14449a5abcff507e554f66e2141d6683b0a |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually. | 2026-01-27 | not yet calculated | CVE-2026-24688 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73 https://github.com/py-pdf/pypdf/pull/3610 https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1 https://github.com/py-pdf/pypdf/releases/tag/6.6.2 |
| qgis--QGIS | QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository's credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code. | 2026-01-27 | not yet calculated | CVE-2026-24480 | https://github.com/qgis/QGIS/security/advisories/GHSA-7h99-4f97-h6rw https://github.com/qgis/QGIS/commit/76a693cd91650f9b4e83edac525e5e4f90d954e9 |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'txAny' in '/evaluacion_competencias_autoeval_list.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1472 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_competencias_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1473 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' en '/evaluacion_inicio.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1474 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_acciones_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1475 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_acciones_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1476 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_competencias_evalua_old.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1477 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_hca_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1478 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameters 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_hca_ver_auto.asp', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1479 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1480 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1481 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_evaluacion' in '/evaluacion_objetivos_evalua_definido.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1482 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor--Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1483 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Rails--activestorage | # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this! | 2026-01-30 | not yet calculated | CVE-2025-24293 | https://github.com/advisories/GHSA-r4mg-4433-c7g3 |
| Ralim--IronOS | Vulnerability in Ralim IronOS (source/Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source modules). This vulnerability is associated with program files ecc_dsa.C. This issue affects IronOS: before v2.23-rc3. | 2026-01-27 | not yet calculated | CVE-2026-24801 | https://github.com/Ralim/IronOS/pull/2087 |
| RawTherapee--RawTherapee | Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc. This issue affects RawTherapee: through 5.11. | 2026-01-27 | not yet calculated | CVE-2026-24808 | https://github.com/RawTherapee/RawTherapee/pull/7359 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. | 2026-01-26 | not yet calculated | CVE-2025-9615 | https://access.redhat.com/security/cve/CVE-2025-9615 RHBZ#2391503 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327 |
| rethinkdb--rethinkdb | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in rethinkdb (src/cjson modules). This vulnerability is associated with program files cJSON.Cc. This issue affects rethinkdb: through v2.4.4. | 2026-01-27 | not yet calculated | CVE-2026-24810 | https://github.com/rethinkdb/rethinkdb/pull/7163 |
| RLE NOVA--PlanManager | Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the 'comment' and 'brand' parameters in '/index.php'. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-29 | not yet calculated | CVE-2026-1469 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-rle-novas-planmanager |
| root-project--root | Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C. This issue affects root. | 2026-01-27 | not yet calculated | CVE-2026-24811 | https://github.com/root-project/root/pull/18526 |
| root-project--root | Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1. | 2026-01-27 | not yet calculated | CVE-2026-24812 | https://github.com/root-project/root/pull/18527 |
| Schneider Electric--EcoStruxure Process Expert | CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart. | 2026-01-29 | not yet calculated | CVE-2025-13905 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf |
| shaarli--Shaarli | Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue. | 2026-01-26 | not yet calculated | CVE-2026-24476 | https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063 |
| sharpred--deepHas | deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8. | 2026-01-29 | not yet calculated | CVE-2026-25047 | https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27 https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465 |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges. | 2026-01-26 | not yet calculated | CVE-2026-24428 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface. | 2026-01-26 | not yet calculated | CVE-2026-24429 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception. | 2026-01-26 | not yet calculated | CVE-2026-24430 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-http-responses-expose-plaintext-credentials |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials. | 2026-01-26 | not yet calculated | CVE-2026-24431 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user's browser, modify administrative passwords and other configuration settings. | 2026-01-26 | not yet calculated | CVE-2026-24432 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages. | 2026-01-26 | not yet calculated | CVE-2026-24433 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-stored-xss-via-user-name-field |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests. | 2026-01-26 | not yet calculated | CVE-2026-24435 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-permissive-cors-allows-cross-origin-data-access |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials. | 2026-01-26 | not yet calculated | CVE-2026-24436 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-rate-limiting-on-authentication |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access. | 2026-01-26 | not yet calculated | CVE-2026-24437 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-cache-controls-for-credential-bearing-pages |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script. | 2026-01-26 | not yet calculated | CVE-2026-24439 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-x-content-type-options-header |
| Shenzhen Tenda Technology Co., Ltd.--W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained. | 2026-01-26 | not yet calculated | CVE-2026-24440 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-allows-password-change-without-verifying-current-password |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix. | 2026-01-29 | not yet calculated | CVE-2026-24780 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459 |
| sigstore--sigstore-python | sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue. | 2026-01-26 | not yet calculated | CVE-2026-24408 | https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 |
| silabs.com--Silicon Labs Zigbee Stack | After receiving a malformed 802.15.4 MAC Data Request the Zigbee Coordinator sends a 'network leave' request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end devices will be unable to rejoin. A manual recommissioning is required to recover the Zigbee Router. | 2026-01-30 | not yet calculated | CVE-2025-7964 | https://community.silabs.com/068Vm00000dspiL |
| simsong--bulk_extractor | `bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`'s embedded unrar code has a heap buffer overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out of bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available. | 2026-01-28 | not yet calculated | CVE-2026-24857 | https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q |
| simsong--tcpflow | tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available. | 2026-01-29 | not yet calculated | CVE-2026-25061 | https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication. | 2026-01-29 | not yet calculated | CVE-2026-25067 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion |
| SpringBlade--SpringBlade | Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. | 2026-01-26 | not yet calculated | CVE-2025-70982 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/34 https://gist.github.com/old6ma/ea60151aa40ddc1cfb51fbaa0c173117 |
| SunFounder--Pironman Dashboard (pm_dashboard) | SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service. | 2026-01-31 | not yet calculated | CVE-2026-25069 | https://github.com/sunfounder/pm_dashboard https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L62 https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L440 https://www.vulncheck.com/advisories/sunfounder-pironman-dashboard-path-traversal-arbitrary-file-read-deletion https://gist.github.com/chapochapo/5db8702ede862af5c59a28b5d5a0aba3 |
| SuperDuper!--Super-Duper! | An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | 2026-01-29 | not yet calculated | CVE-2025-69604 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available |
| swoole--swoole-src | Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C. This issue affects swoole-src: before 6.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24814 | https://github.com/swoole/swoole-src/pull/5698 |
| tale--tale | Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. | 2026-01-29 | not yet calculated | CVE-2025-69749 | https://github.com/otale/tale https://github.com/milantgh/otalexss |
| The Wikimedia Foundation--Mediawiki - DiscussionTools Extension | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup. This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43. | 2026-01-30 | not yet calculated | CVE-2025-11175 | https://phabricator.wikimedia.org/T396248 https://gerrit.wikimedia.org/r/q/I563219f3298a8740e158d130492bf3d2897784d7 https://phabricator.wikimedia.org/T364910 https://gerrit.wikimedia.org/r/q/I126203ab1d3ec8c1719cbb5460a887e4d0c2cc6d |
| tildearrow--furnace | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C. | 2026-01-27 | not yet calculated | CVE-2026-24800 | https://github.com/tildearrow/furnace/pull/2471 |
| TOTOLINK--X6000R | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection. This issue affects X6000R: through V9.4.0cu.1498_B20250826. | 2026-01-30 | not yet calculated | CVE-2026-1723 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2026-0001/PANW-2026-0001.md |
| TP-Link Systems Inc.--Archer MR600 v5.0 | Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise. | 2026-01-26 | not yet calculated | CVE-2025-14756 | https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware https://www.tp-link.com/en/support/download/archer-mr600/#Firmware https://www.tp-link.com/us/support/faq/4916/ https://jvn.jp/en/vu/JVNVU94651499/ https://jvn.jp/vu/JVNVU94651499/ |
| TP-Link Systems Inc.--Archer RE605X | The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability. | 2026-01-29 | not yet calculated | CVE-2025-15545 | https://www.tp-link.com/en/support/download/re605x/v3/#Firmware https://www.tp-link.com/us/support/download/re605x/v3/#Firmware https://www.tp-link.com/us/support/faq/4929/ https://nico-security.com/posts/cve-2025-15545 |
| TP-Link Systems Inc.--Omada Controller | An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | 2026-01-26 | not yet calculated | CVE-2025-9520 | https://support.omadanetworks.com/us/document/115200/ https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.--Omada Controller | Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user's password without proper confirmation, leading to weakened account security. | 2026-01-26 | not yet calculated | CVE-2025-9521 | https://support.omadanetworks.com/us/document/115200/ https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.--Omada Controller | Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. | 2026-01-26 | not yet calculated | CVE-2025-9522 | https://support.omadanetworks.com/us/document/115200/ https://https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.--Tapo C220 v1 | The Tapo C220 v1 and C520WS v2 cameras' HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable. | 2026-01-27 | not yet calculated | CVE-2026-0918 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.--Tapo C220 v1 | The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service. | 2026-01-27 | not yet calculated | CVE-2026-0919 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.--Tapo C220 v1 | By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation. | 2026-01-27 | not yet calculated | CVE-2026-1315 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.--VIGI C485 V1 | An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges. | 2026-01-29 | not yet calculated | CVE-2026-1457 | https://www.tp-link.com/en/support/download/vigi-c385/v1/#Firmware https://www.tp-link.com/kr/support/download/vigi-c385/v1/#Firmware https://www.tp-link.com/us/support/faq/4931/ |
| TP-Link Systems Inc.--VX800v v1.0 | A weakness in the web interface's application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requires network proximity but no authentication, and may result in high impact to confidentiality, integrity, and availability of transmitted data. | 2026-01-29 | not yet calculated | CVE-2025-13399 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. | 2026-01-29 | not yet calculated | CVE-2025-15541 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls. | 2026-01-29 | not yet calculated | CVE-2025-15542 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read only access to system files. | 2026-01-29 | not yet calculated | CVE-2025-15543 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.--VX800v v1.0 | Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. | 2026-01-29 | not yet calculated | CVE-2025-15548 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| ttttupup--wxhelper | Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in ttttupup wxhelper (src modules). This vulnerability is associated with program files mongoose.C. This issue affects wxhelper: through 3.9.10.19-v1. | 2026-01-27 | not yet calculated | CVE-2026-24822 | https://github.com/ttttupup/wxhelper/pull/515 |
| turanszkij--WickedEngine | Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C. This issue affects WickedEngine: before 0.71.705. | 2026-01-27 | not yet calculated | CVE-2026-24820 | https://github.com/turanszkij/WickedEngine/pull/1054 |
| turanszkij--WickedEngine | Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C. This issue affects WickedEngine: through 0.71.727. | 2026-01-27 | not yet calculated | CVE-2026-24821 | https://github.com/turanszkij/WickedEngine/pull/1095 |
| umbraco--Umbraco.Forms.Issues | Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended. | 2026-01-29 | not yet calculated | CVE-2026-24687 | https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh |
| vendurehq--vendure | Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue. | 2026-01-30 | not yet calculated | CVE-2026-25050 | https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch https://github.com/vendurehq/vendure/releases/tag/v3.5.3 |
| visualfc--liteide | NULL Pointer Dereference vulnerability in visualfc liteide (liteidex/src/3rdparty/libvterm/src modules). This vulnerability is associated with program files screen.C, state.C, vterm.C. This issue affects liteide: before x38.4. | 2026-01-27 | not yet calculated | CVE-2026-24805 | https://github.com/visualfc/liteide/pull/1326 |
| WatchGuard--Fireware OS | An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user's valid passphrase. This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0. | 2026-01-30 | not yet calculated | CVE-2026-1498 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00001 |
| Western Digital--WD Discovery | DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path. | 2026-01-26 | not yet calculated | CVE-2025-30248 | https://www.westerndigital.com/support/product-security/wdc-25008-wd-discovery-desktop-app-version-5-3 |
| WordPress--Custom Login Page Customizer | The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | 2026-01-29 | not yet calculated | CVE-2025-14975 | https://wpscan.com/vulnerability/a1403186-51aa-4eae-a3fe-0c559570eb93/ |
| WordPress--Recipe Card Blocks Lite | The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. | 2026-01-26 | not yet calculated | CVE-2025-14973 | https://wpscan.com/vulnerability/76f7d5d4-ba45-4bfd-bda9-ab0769e81107/ |
| WordPress--User Activity Log | The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) | 2026-01-28 | not yet calculated | CVE-2025-13471 | https://wpscan.com/vulnerability/cc8743f5-b1b9-4f88-b440-db044034bbfc/ |
| Worklenz--Worklenz | Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2026-01-26 | not yet calculated | CVE-2025-70368 | https://github.com/Worklenz/worklenz https://github.com/Stolichnayer/CVE-2025-70368 |
| Xen--Xen | Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. | 2026-01-28 | not yet calculated | CVE-2025-58150 | https://xenbits.xenproject.org/xsa/advisory-477.html |
| Xen--Xen | In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. | 2026-01-28 | not yet calculated | CVE-2026-23553 | https://xenbits.xenproject.org/xsa/advisory-479.html |
| yacy--yacy_search_server | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java. This issue affects yacy_search_server. | 2026-01-27 | not yet calculated | CVE-2026-24824 | https://github.com/yacy/yacy_search_server/pull/722 |
| ydb-platform--ydb | Missing Release of Memory after Effective Lifetime vulnerability in ydb-platform ydb (contrib/libs/yajl modules). This vulnerability is associated with program files yail_tree.C. This issue affects ydb: through 24.4.4.2. | 2026-01-27 | not yet calculated | CVE-2026-24825 | https://github.com/ydb-platform/ydb/pull/17570 |
| zhblue--hustoj | HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24479 | https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj https://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f |
Vulnerability Summary for the Week of January 19, 2026
Posted on Monday January 26, 2026
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Agatasoft--AgataSoft PingMaster Pro | AgataSoft PingMaster Pro 2.1 contains a denial of service vulnerability in the Trace Route feature that allows attackers to crash the application by overflowing the host name input field. Attackers can generate a 10,000-character buffer and paste it into the host name field to trigger an application crash and potential system instability. | 2026-01-23 | 7.5 | CVE-2021-47893 | ExploitDB-49567 Vendor Homepage VulnCheck Advisory: AgataSoft PingMaster Pro 2.1 - Denial of Service |
| Aida Computer Information Technology Inc.--Hotel Guest Hotspot | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8 | CVE-2025-4764 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| Altium--AES | AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. | 2026-01-22 | 8.6 | CVE-2025-27378 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--AES | HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim's browser via crafted HTML content. | 2026-01-22 | 7.6 | CVE-2025-27380 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium 365 | Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments. | 2026-01-19 | 9 | CVE-2026-1181 | https://www.altium.com/platform/security-compliance/security-advisories |
| AMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-22 | 9.8 | CVE-2026-1331 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| appsmithorg--appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication. | 2026-01-22 | 9.4 | CVE-2026-24042 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883 |
| Autodesk--Fusion | A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0533 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk--Fusion | A maliciously crafted HTML payload, stored in a part's attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0534 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk--Fusion | A maliciously crafted HTML payload, stored in a component's description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0535 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autonomy--OpenPLC | OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution. | 2026-01-21 | 8.8 | CVE-2021-47770 | ExploitDB-49803 OpenPLC Project Official Homepage OpenPLC v3 GitHub Repository VulnCheck Advisory: OpenPLC 3 - Remote Code Execution |
| B&R Industrial Automation GmbH--B&R Automation Studio | An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges. | 2026-01-19 | 7.4 | CVE-2025-11043 | https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access. | 2026-01-21 | 7.1 | CVE-2026-24046 | https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d |
| baptisteArno--typebot.io | Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | 2026-01-22 | 7.4 | CVE-2025-65098 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47 |
| Birebirsoft Software and Technology Solutions--Sufirmam | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 10 | CVE-2025-4320 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Birebirsoft Software and Technology Solutions--Sufirmam | Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 9.4 | CVE-2025-4319 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Brother Industries, Ltd.--BRAdmin Professional | Brother BRAdmin Professional 3.75 contains an unquoted service path vulnerability in the BRA_Scheduler service that allows local users to potentially execute arbitrary code. Attackers can place a malicious executable named 'BRAdmin' in the C:\Program Files (x86)\Brother\ directory to gain local system privileges. | 2026-01-21 | 7.8 | CVE-2021-47869 | ExploitDB-49671 Brother Global Homepage Brother Software Download Page Vulnerability Technical Details VulnCheck Advisory: BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware. | 2026-01-20 | 9.8 | CVE-2026-1221 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-20 | 7.2 | CVE-2026-1222 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| buddypress--BuddyPress | The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2026-01-23 | 7.3 | CVE-2024-11976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34c627c1-7838-468e-acb7-eb84ad1b4949?source=cve https://plugins.trac.wordpress.org/browser/buddypress/tags/14.3.1/bp-templates/bp-nouveau/includes/messages/ajax.php#L232 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3259392%40buddypress%2Ftrunk&old=3199645%40buddypress%2Ftrunk&sfp_email=&sfph_mail= |
| chattermate--chattermate.chat | ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9. | 2026-01-24 | 9.3 | CVE-2026-24399 | https://github.com/chattermate/chattermate.chat/security/advisories/GHSA-72p3-w95w-q3j4 https://github.com/chattermate/chattermate.chat/commit/ff3398031abb97ae28546eaf993fed3619eaffdd https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9 |
| choijun--LA-Studio Element Kit for Elementor | The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site. | 2026-01-22 | 9.8 | CVE-2026-0920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301 https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit |
| Cisco--Cisco Unified Communications Manager | A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. | 2026-01-21 | 8.2 | CVE-2026-20045 | cisco-sa-voice-rce-mORhqY4b |
| CRMEB--CRMEB | A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 7.3 | CVE-2026-1202 | VDB-341788 | CRMEB LoginController.php appleLogin improper authentication VDB-341788 | CTI Indicators (IOB, IOC, IOA) Submit #734711 | Zhongbang CRMEB v5.6.3 Improper Authentication https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md |
| Data Device Corporation--dataSIMS Avionics ARINC | dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. Attackers can craft a malicious file with carefully constructed payload and alignment sections to potentially execute arbitrary code on the Windows system. | 2026-01-23 | 8.4 | CVE-2021-47881 | ExploitDB-49577 Vendor Homepage Software Product Page VulnCheck Advisory: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow |
| Deepinstinct--Deep Instinct Windows Agent | Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepNetworkService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-25 | 7.8 | CVE-2020-36934 | ExploitDB-49020 Deep Instinct Official Homepage HP Collaboration Announcement VulnCheck Advisory: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-23 | 8.8 | CVE-2026-22273 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 2026-01-23 | 7.5 | CVE-2026-22271 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 2026-01-22 | 8.1 | CVE-2026-22278 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-22 | 8.8 | CVE-2025-36588 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| docling-project--docling-core | Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater. | 2026-01-22 | 8.1 | CVE-2026-24009 | https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc https://github.com/docling-project/docling-core/issues/482 https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c https://github.com/advisories/GHSA-8q59-q68h-6hv4 https://github.com/docling-project/docling-core/releases/tag/v2.48.4 |
| dokaninc--Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts. | 2026-01-20 | 8.1 | CVE-2025-14977 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=cve https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L131 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L152 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432750%40dokan-lite%2Ftrunk&old=3427612%40dokan-lite%2Ftrunk&sfp_email=&sfph_mail=#file7 |
| embeDD GmbH--DD-WRT | DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target device. | 2026-01-21 | 9.8 | CVE-2021-47854 | ExploitDB-49730 DD-WRT Official Vendor Homepage DD-WRT Software Download Repository SSD Security Advisory for DD-WRT UPNP Buffer Overflow VulnCheck Advisory: DD-WRT 45723 - UPNP Buffer Overflow |
| Epiphany--Epiphany | A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior. | 2026-01-23 | 8 | CVE-2025-3839 | https://access.redhat.com/security/cve/CVE-2025-3839 RHBZ#2361430 |
| Epson America, Inc.--Epson USB Display | Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access. | 2026-01-23 | 7.8 | CVE-2021-47898 | ExploitDB-49548 Epson Official Homepage VulnCheck Advisory: Epson USB Display 1.6.0.0 Unquoted Service Path Vulnerability |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtracted by the header length which results in a negative value. This value is then interpreted as `SIZE_MAX` (or slightly less) because the expected type of the argument is `size_t`. Depending on whether the server is plain TCP or TLS, this leads to either an infinite loop or a stack buffer overflow. Version 2025.10.0 fixes the issue. | 2026-01-21 | 8.4 | CVE-2025-68137 | https://github.com/EVerest/everest-core/security/advisories/GHSA-7qq4-q9r8-wc7w |
| EVerest--everest-core | EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0. | 2026-01-21 | 7.4 | CVE-2025-68133 | https://github.com/EVerest/everest-core/security/advisories/GHSA-mv3w-pp85-5h7c https://github.com/EVerest/everest-core/commit/8127b8c54b296c4dd01b356ac26763f81f76a8fd https://github.com/EVerest/everest-core/commit/de504f0c11069010d26767b0952739e9a400cef3 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits when any one of them terminates, leading to a denial of service. In a context where a manager handles multiple EVSE, this would also impact other users. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68134 | https://github.com/EVerest/everest-core/security/advisories/GHSA-cxc5-rrj5-8pf3 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file descriptor is not the last one, it will lead to a null pointer dereference. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68136 | https://github.com/EVerest/everest-core/security/advisories/GHSA-4h8h-x5cp-g22r |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. This occurs in the method `template <> void convert(const struct iso20_dc_DetailedTaxType& in, datatypes::DetailedTax& out)` which leads to a null pointer dereference and causes the module to terminate. The EVerest processes and all its modules shut down, affecting all EVSE. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68141 | https://github.com/EVerest/everest-core/security/advisories/GHSA-ph4w-r9q8-vm9h |
| EVMAPA--EVMAPA | This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. | 2026-01-22 | 9.4 | CVE-2025-54816 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA--EVMAPA | This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. This can overwhelm the authentication system, rendering it unavailable to legitimate users and potentially causing service disruption. This can also allow attackers to conduct brute-force attacks to gain unauthorized access. | 2026-01-22 | 7.5 | CVE-2025-53968 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA--EVMAPA | This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently. | 2026-01-22 | 7.3 | CVE-2025-55705 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EXERT Computer Technologies Software Ltd. Co.--Education Management System | Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025. | 2026-01-22 | 7.5 | CVE-2025-10024 | https://www.usom.gov.tr/bildirim/tr-26-0002 |
| fastify--fastify-express | The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue. | 2026-01-19 | 8.4 | CVE-2026-22037 | https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40 |
| fastify--middie | @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue. | 2026-01-19 | 8.4 | CVE-2026-22031 | https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p https://github.com/fastify/middie/pull/245 https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba https://github.com/fastify/middie/releases/tag/v9.1.0 |
| FOGProject--fogproject | FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication. | 2026-01-23 | 7.5 | CVE-2026-24138 | https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next(). | 2026-01-19 | 9.8 | CVE-2026-23837 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664 https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6e4a6480c6af5b675a99069d08d496e |
| FreeLAN--FreeLAN | FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47882 | ExploitDB-49630 FreeLAN GitHub Repository VulnCheck Advisory: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path |
| frustratedProton--http-server | C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication. | 2026-01-24 | 7.5 | CVE-2026-24469 | https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff |
| FSPro Labs--Event Log Explorer | Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations that will be executed with LocalSystem account privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47861 | ExploitDB-49704 Vendor Homepage VulnCheck Advisory: Event Log Explorer 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path |
| Fyrolabs LLC.--Pingzapper | Pingzapper 2.3.1 contains an unquoted service path vulnerability in the PingzapperSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Pingzapper\PZService.exe' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47886 | ExploitDB-49626 Vendor Homepage Software Download Page VulnCheck Advisory: Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path |
| Genexis--Platinum-4410 | Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access the security management page. | 2026-01-21 | 7.2 | CVE-2021-47858 | ExploitDB-49709 Genexis Product Page VulnCheck Advisory: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting |
| GeoGebra--CAS Calculator | GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field to trigger an application crash. | 2026-01-21 | 9.8 | CVE-2021-47875 | ExploitDB-49655 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra CAS Calculator 6.0.631.0 - Denial of Service |
| GeoGebra--GeoGebra Classic | GeoGebra Classic 5.0.631.0-d contains a denial of service vulnerability in the input field that allows attackers to crash the application by sending oversized buffer content. Attackers can generate a large buffer of 800,000 repeated characters and paste it into the 'Entrada:' input field to trigger an application crash. | 2026-01-21 | 7.5 | CVE-2021-47876 | ExploitDB-49654 Official Vendor Homepage VulnCheck Advisory: GeoGebra Classic 5.0.631.0-d - Denial of Service |
| GeoGebra--GeoGebra Graphing Calculator | GeoGebra Graphing Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer. Attackers can generate a payload of 8000 repeated characters to overwhelm the input field and cause the application to become unresponsive. | 2026-01-21 | 7.5 | CVE-2021-47877 | ExploitDB-49653 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service |
| getwpfunnels--Creator LMS The LMS for Creators, Coaches, and Trainers | The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options. | 2026-01-20 | 8.8 | CVE-2025-15347 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data. | 2026-01-22 | 7.5 | CVE-2025-13927 | GitLab Issue #582737 HackerOne Bug Bounty Report #3439683 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. | 2026-01-22 | 7.5 | CVE-2025-13928 | GitLab Issue #582736 HackerOne Bug Bounty Report #3439441 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses. | 2026-01-22 | 7.4 | CVE-2026-0723 | GitLab Issue #585333 HackerOne Bug Bounty Report #3476052 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GNU--Inetutils | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. | 2026-01-21 | 9.8 | CVE-2026-24061 | https://www.openwall.com/lists/oss-security/2026/01/20/2 https://www.openwall.com/lists/oss-security/2026/01/20/8 https://www.gnu.org/software/inetutils/ |
| gristlabs--grist-core | Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`. | 2026-01-22 | 9.1 | CVE-2026-24002 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents |
| gunthercox--ChatterBot | ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue. | 2026-01-19 | 7.5 | CVE-2026-23842 | https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72 https://github.com/gunthercox/ChatterBot/pull/2432 https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11 https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f |
| h2o--quicly | Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue. | 2026-01-19 | 7.5 | CVE-2025-61684 | https://github.com/h2o/quicly/security/advisories/GHSA-wr3c-345m-43v9 https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e |
| HackUCF--OnboardLite | OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue. | 2026-01-19 | 7.3 | CVE-2026-23880 | https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f |
| HAMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-22 | 7.5 | CVE-2026-1330 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| Hasura--GraphQL | Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality. | 2026-01-21 | 9.8 | CVE-2021-47748 | ExploitDB-49802 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 - Remote Code Execution |
| Hestia Control Panel--Hestia Control Panel | Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server. | 2026-01-21 | 8.8 | CVE-2021-47871 | ExploitDB-49667 Hestia Control Panel Official Homepage Hestia Control Panel GitHub Repository VulnCheck Advisory: Hestia Control Panel 1.3.2 - Arbitrary File Write |
| HI-REZ STUDIOS--HiPatchService | Hi-Rez Studios 5.1.6.3 contains an unquoted service path vulnerability in the HiPatchService that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47862 | ExploitDB-49701 Hi-Rez Studios Official Homepage VulnCheck Advisory: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path |
| Hibernate--Hibernate | A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service. | 2026-01-23 | 8.3 | CVE-2026-0603 | https://access.redhat.com/security/cve/CVE-2026-0603 RHBZ#2427147 |
| HID Global--ActivIdentity | ActivIdentity 8.2 contains an unquoted service path vulnerability in the ac.sharedstore service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\Common Files\ActivIdentity\ to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47859 | ExploitDB-49703 HID Global Official Website VulnCheck Advisory: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path |
| Honeywell--WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the GuardTourService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47866 | ExploitDB-49690 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'GuardTourService' Unquoted Service Path |
| Honeywell--WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the WPCommandFileService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe to inject malicious code that would execute with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47868 | ExploitDB-49692 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'WPCommandFileService' Unquoted Service Path |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0. | 2026-01-22 | 8.1 | CVE-2026-24038 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| HTC--IPTInstaller | HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36933 | ExploitDB-49006 HTC Official Latin America Homepage VulnCheck Advisory: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path |
| hwk-fr--Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field. | 2026-01-20 | 9.8 | CVE-2025-14533 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356 |
| I Want Source Codes--Digital Crime Report Management System | Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints. | 2026-01-21 | 8.2 | CVE-2021-47846 | ExploitDB-49761 Vendor Homepage Software Download Link VulnCheck Advisory: Digital Crime Report Management System 1.0 - SQL Injection |
| ibericode--koko-analytics | Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue. | 2026-01-19 | 8.4 | CVE-2026-22850 | https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119 https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges. | 2026-01-20 | 7.3 | CVE-2025-36418 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. | 2026-01-20 | 8.8 | CVE-2025-33015 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--IBM Licensing Operator | IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. | 2026-01-20 | 8.4 | CVE-2025-12985 | https://www.ibm.com/support/pages/license-service-privilege-escalation-vulnerability |
| IBM--Sterling Connect:Direct for UNIX Container | IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 2026-01-20 | 8.4 | CVE-2025-14115 | https://www.ibm.com/support/pages/node/7257143 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue. | 2026-01-20 | 8.1 | CVE-2026-23876 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8 https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24405 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv https://github.com/InternationalColorConsortium/iccDEV/issues/479 https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24406 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f https://github.com/InternationalColorConsortium/iccDEV/issues/480 https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24412 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6rf4-63j2-cfrf https://github.com/InternationalColorConsortium/iccDEV/issues/518 https://github.com/InternationalColorConsortium/iccDEV/commit/2be3b125933a57fe8b6624e9dfd69d8e5360bf70 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24403 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph33-qp8j-5q34 https://github.com/InternationalColorConsortium/iccDEV/issues/505 https://github.com/InternationalColorConsortium/iccDEV/commits/d993997005449a0a6958e65b057bd25e17dff89 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24404 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f https://github.com/InternationalColorConsortium/iccDEV/issues/488 https://github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0c |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24407 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855 https://github.com/InternationalColorConsortium/iccDEV/issues/481 https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24409 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398v-jvcg-p8f3 https://github.com/InternationalColorConsortium/iccDEV/issues/484 https://github.com/InternationalColorConsortium/iccDEV/commit/9f134c44895edd2edca4bcb97e15c0ba9aa77382 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24410 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r https://github.com/InternationalColorConsortium/iccDEV/issues/507 https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24411 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x53f-7h27-9fc8 https://github.com/InternationalColorConsortium/iccDEV/issues/499 https://github.com/InternationalColorConsortium/iccDEV/commit/d6d6f51a999d4266ec09347cac7e0930d6e02eec |
| irisideatechsolutions--Kalrav AI Agent | The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-24 | 9.8 | CVE-2025-13374 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5dc8feae-fc89-4152-b9b2-2b70e6ccb30b?source=cve https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/trunk/kalrav-ai-agent.php#L967 https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/tags/2.3.3/kalrav-ai-agent.php#L967 https://github.com/d0n601/CVE-2025-13374 https://ryankozak.com/posts/cve-2025-13374 |
| isaacs--node-tar | node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. | 2026-01-20 | 8.8 | CVE-2026-23950 | https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 |
| ISC--BIND 9 | Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1. | 2026-01-21 | 7.5 | CVE-2025-13878 | CVE-2025-13878 https://downloads.isc.org/isc/bind9/9.18.44 https://downloads.isc.org/isc/bind9/9.20.18 https://downloads.isc.org/isc/bind9/9.21.17 |
| itsourcecode--Online Frozen Foods Ordering System | A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1159 | VDB-341753 | itsourcecode Online Frozen Foods Ordering System order_online.php sql injection VDB-341753 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736332 | itsourcecode Online Frozen Foods Ordering System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/1 https://itsourcecode.com/ |
| itsourcecode--School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1176 | VDB-341770 | itsourcecode School Management System index.php sql injection VDB-341770 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736477 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/32 https://itsourcecode.com/ |
| jaraco--jaraco.context | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue. | 2026-01-20 | 8.6 | CVE-2026-23949 | https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2 https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9 https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91 https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76 |
| JNC--IAQS | IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end. | 2026-01-23 | 9.8 | CVE-2026-1363 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JNC--IAQS | IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities. | 2026-01-23 | 9.8 | CVE-2026-1364 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue. | 2026-01-22 | 9.1 | CVE-2026-23966 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707 |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23965 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-hpwg-xg7m-3p6m https://github.com/JuneAndGreen/sm-crypto/commit/85295a859d0766222d12ce2be3e6fce7b438b510 |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23967 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm |
| KMSpico--Service KMSELDI | KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\KMSpico\Service_KMS.exe to inject malicious executables and escalate privileges. | 2026-01-25 | 7.8 | CVE-2020-36935 | ExploitDB-49003 Official KMSpico Homepage VulnCheck Advisory: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path |
| kodezen--Academy LMS WordPress LMS Plugin for Complete eLearning Solution | The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account. | 2026-01-21 | 9.8 | CVE-2025-15521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581 |
| kohler--hotcrp | HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2. | 2026-01-19 | 10 | CVE-2026-23836 | https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9 https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834 |
| Kozea--WeasyPrint | WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue. | 2026-01-19 | 7.5 | CVE-2025-68616 | https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565 |
| laravel--reverb | Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP's unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node). | 2026-01-21 | 9.8 | CVE-2026-23524 | https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4 https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a https://cwe.mitre.org/data/definitions/502.html https://github.com/laravel/reverb/releases/tag/v1.7.0 https://laravel.com/docs/12.x/reverb#scaling |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23839 | https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23840 | https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57 https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23841 | https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| LiteSpeed Technologies Inc--LiteSpeed Web Server Enterprise | LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection. | 2026-01-23 | 8.8 | CVE-2021-47903 | ExploitDB-49523 LiteSpeed Technologies Official Homepage LiteSpeed Web Server Product Page VulnCheck Advisory: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection |
| LiteSpeed Technologies--OpenLiteSpeed | Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the Default Icon. | 2026-01-21 | 7.2 | CVE-2021-47855 | ExploitDB-49727 OpenLiteSpeed Vendor Homepage VulnCheck Advisory: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting |
| Luidia--eBeam Education Suite | eBeam Education Suite 2.5.0.9 contains an unquoted service path vulnerability in the eBeam Device Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47878 | ExploitDB-49647 Software Download Page VulnCheck Advisory: eBeam Education Suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path |
| Luidia--eBeam Interactive Suite | eBeam Interactive Suite 3.6 contains an unquoted service path vulnerability in the eBeam Stylus Driver service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Luidia\eBeam Stylus Driver\ to inject malicious executables that would run with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47879 | ExploitDB-49648 Software Download Page VulnCheck Advisory: eBeam Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path |
| lxc--incus | Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the 'incus' group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container's lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23953 | https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081 https://github.com/user-attachments/files/24473682/environment_newline_injection.sh https://github.com/user-attachments/files/24473685/environment_newline_injection.patch |
| lxc--incus | Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the 'incus' group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23954 | https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294 https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1. | 2026-01-21 | 7.3 | CVE-2026-23736 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0. | 2026-01-21 | 7.5 | CVE-2026-23737 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23956 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23957 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached. | 2026-01-22 | 7.5 | CVE-2026-24006 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| MacPaw Way Ltd.--Encrypto | MacPaw Encrypto 1.0.1 contains an unquoted service path vulnerability in its Encrypto Service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Encrypto\ to inject malicious executables and escalate privileges on Windows systems. | 2026-01-21 | 7.8 | CVE-2021-47863 | ExploitDB-49694 MacPaw Encrypto Official Homepage VulnCheck Advisory: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path |
| Magic Utilities--Magic Mouse 2 utilities | Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path. | 2026-01-25 | 7.8 | CVE-2020-36936 | ExploitDB-49017 Magic Utilities Vendor Homepage VulnCheck Advisory: Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 7.5 | CVE-2026-23962 | https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream--MedDream PACS Premium | An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability. | 2026-01-20 | 9.6 | CVE-2025-53912 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2273 |
| melapress--Melapress Role Editor | The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator. | 2026-01-23 | 8.8 | CVE-2025-14866 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0509aaf1-8aae-42e5-84d3-ea9b431703f3?source=cve https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/ajax/class-admin-ajax.php https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/additional-form-fields/class-user-profile.php#L103 https://plugins.trac.wordpress.org/changeset/3439348/ |
| Microsoft--Azure Data Explorer | Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21524 | Azure Data Explorer Information Disclosure Vulnerability |
| Microsoft--Azure Front Door | Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 9.8 | CVE-2026-24306 | Azure Front Door Elevation of Privilege Vulnerability |
| Microsoft--Azure Logic Apps | Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 8.2 | CVE-2026-21227 | Azure Logic Apps Elevation of Privilege Vulnerability |
| Microsoft--Azure Resource Manager | Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network. | 2026-01-23 | 9.9 | CVE-2026-24304 | Azure Resource Manager Elevation of Privilege Vulnerability |
| Microsoft--Microsoft 365 Copilot | Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 9.3 | CVE-2026-24307 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft 365 Word Copilot | Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21521 | Word Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft Account | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. | 2026-01-22 | 9.3 | CVE-2026-21264 | Microsoft Account Spoofing Vulnerability |
| Microsoft--Microsoft Copilot Studio | Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector | 2026-01-22 | 7.5 | CVE-2026-21520 | Copilot Studio Information Disclosure Vulnerability |
| Microsoft--Microsoft Entra | Azure Entra ID Elevation of Privilege Vulnerability | 2026-01-22 | 9.3 | CVE-2026-24305 | Azure Entra ID Elevation of Privilege Vulnerability |
| Microvirt--MEMU PLAY | Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36937 | ExploitDB-49016 Official MEMU Play Product Homepage VulnCheck Advisory: MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path |
| Moodle--Moodle | A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application. | 2026-01-23 | 8.8 | CVE-2025-67847 | https://access.redhat.com/security/cve/CVE-2025-67847 |
| Moodle--Moodle | Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. | 2026-01-21 | 7.2 | CVE-2021-47857 | ExploitDB-49714 Official Moodle Project Homepage VulnCheck Advisory: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting |
| nanbingxyz--5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue. | 2026-01-21 | 9.7 | CVE-2026-22792 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| nanbingxyz--5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron's electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue. | 2026-01-21 | 9.7 | CVE-2026-22793 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-wg3x-7c26-97wj https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| NodeBB--NodeBB Plugin Emoji | NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter. | 2026-01-21 | 7.5 | CVE-2021-47746 | ExploitDB-49813 Official NodeBB Homepage NodeBB Emoji Plugin GitHub Repository VulnCheck Advisory: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write |
| Northwest Performance Software, Inc.--Managed Switch Port Mapping Tool | Managed Switch Port Mapping Tool 2.85.2 contains a denial of service vulnerability that allows attackers to crash the application by creating an oversized buffer. Attackers can generate a 10,000-character buffer and paste it into the IP Address and SNMP Community Name fields to trigger the application crash. | 2026-01-23 | 7.5 | CVE-2021-47894 | ExploitDB-49566 Vendor Homepage Software Download Page VulnCheck Advisory: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service |
| Nsauditor--Nsauditor | Nsauditor 3.2.2.0 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Event Description field with a large buffer. Attackers can generate a 10,000-character 'U' buffer and paste it into the Event Description field to trigger an application crash. | 2026-01-23 | 7.5 | CVE-2021-47895 | ExploitDB-49568 Official Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33228 | https://nvd.nist.gov/vuln/detail/CVE-2025-33228 https://www.cve.org/CVERecord?id=CVE-2025-33228 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33229 | https://nvd.nist.gov/vuln/detail/CVE-2025-33229 https://www.cve.org/CVERecord?id=CVE-2025-33229 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33230 | https://nvd.nist.gov/vuln/detail/CVE-2025-33230 https://www.cve.org/CVERecord?id=CVE-2025-33230 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--Merlin Transformers4Rec | NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2026-01-20 | 7.8 | CVE-2025-33233 | https://nvd.nist.gov/vuln/detail/CVE-2025-33233 https://www.cve.org/CVERecord?id=CVE-2025-33233 https://nvidia.custhelp.com/app/answers/detail/a_id/5761 |
| OKI--Configuration Tool | OKI Configuration Tool 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47884 | ExploitDB-49624 Archived OKI Product Webpage VulnCheck Advisory: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path |
| OKI--Print Job Accounting | OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Print Job Accounting\' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47887 | ExploitDB-49623 Archived OKI Product Webpage VulnCheck Advisory: Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path |
| OpenStack--keystonemiddleware | An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. | 2026-01-19 | 9.9 | CVE-2026-22797 | https://launchpad.net/bugs/2129018 https://www.openwall.com/lists/oss-security/2026/01/16/9 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject's roadmap view renders the "Related work packages" list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server. | 2026-01-19 | 8.7 | CVE-2026-23625 | https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.0 |
| Oracle Corporation--Oracle Agile PLM | Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 7.5 | CVE-2026-21940 | Oracle Advisory |
| Oracle Corporation--Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 9.8 | CVE-2026-21969 | Oracle Advisory |
| Oracle Corporation--Oracle Business Intelligence Enterprise Edition | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 7.1 | CVE-2026-21976 | Oracle Advisory |
| Oracle Corporation--Oracle Database Server | Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where SQLcl executes to compromise SQLcl. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of SQLcl. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). | 2026-01-20 | 7 | CVE-2026-21939 | Oracle Advisory |
| Oracle Corporation--Oracle FLEXCUBE Investor Servicing | Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 8.1 | CVE-2026-21973 | Oracle Advisory |
| Oracle Corporation--Oracle Hospitality OPERA 5 | Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). | 2026-01-20 | 8.6 | CVE-2026-21967 | Oracle Advisory |
| Oracle Corporation--Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in | Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). | 2026-01-20 | 10 | CVE-2026-21962 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). | 2026-01-20 | 7.4 | CVE-2026-21932 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21945 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21955 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21956 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21987 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21988 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). | 2026-01-20 | 8.1 | CVE-2026-21989 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21990 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21957 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21982 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21983 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21984 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). | 2026-01-20 | 7.1 | CVE-2026-21986 | Oracle Advisory |
| Oracle Corporation--Siebel CRM Deployment | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21926 | Oracle Advisory |
| OSAS--OSAS Traverse Extension | OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service's path, potentially gaining elevated system access. | 2026-01-21 | 7.8 | CVE-2021-47864 | ExploitDB-49698 Archived Vendor Homepage VulnCheck Advisory: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path |
| pbatard--rufus | Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA. | 2026-01-22 | 7.3 | CVE-2026-23988 | https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9 https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873 https://github.com/pbatard/rufus/releases/tag/v4.12_BETA |
| PDF Complete, Inc.--PDFCOMPLETE Corporate Edition | PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-23 | 7.8 | CVE-2021-47896 | ExploitDB-49558 Vendor Homepage Software Download Page VulnCheck Advisory: PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path |
| PEEL eCommerce--PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47892 | ExploitDB-49574 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting |
| PEEL eCommerce--PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47897 | ExploitDB-49553 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting |
| PHPGurukul--Directory Management System | A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 7.3 | CVE-2026-1160 | VDB-341754 | PHPGurukul Directory Management System Search index.php sql injection VDB-341754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736333 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/2 https://phpgurukul.com/ |
| phppgadmin--phpPgAdmin | phpPgAdmin 7.13.0 contains a remote command execution vulnerability that allows authenticated attackers to execute arbitrary system commands through SQL query manipulation. Attackers can create a custom table, upload a malicious .txt file, and use the COPY FROM PROGRAM command to execute operating system commands with the application's privileges. | 2026-01-21 | 8.8 | CVE-2021-47853 | ExploitDB-49736 phpPgAdmin Official Release Page VulnCheck Advisory: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution |
| Phreesoft--PhreeBooks | PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | 2026-01-23 | 8.8 | CVE-2021-47904 | ExploitDB-49524 Official Vendor Homepage ExploitDB-46645 Web Shell Payload Gist VulnCheck Advisory: PhreeBooks 5.2.3 - Remote Code Execution |
| posimyththemes--Nexter Extension Site Enhancements Toolkit | The Nexter Extension - Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2026-01-20 | 8.1 | CVE-2026-0726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02de9287-68e4-46ce-a491-3f6cbb7fc0ed?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/nexter-extension/tags/4.4.6/include/panel-settings/extensions/nexter-ext-replace-url.php&new_path=/nexter-extension/tags/4.4.7/include/panel-settings/extensions/nexter-ext-replace-url.php |
| ProFTPD--ProFTPD | ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access. | 2026-01-21 | 7.5 | CVE-2021-47865 | ExploitDB-49697 ProFTPD Official Website ProFTPD GitHub Repository VulnCheck Advisory: ProFTPD 1.3.7a - Remote Denial of Service |
| pypa--wheel | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. | 2026-01-22 | 7.1 | CVE-2026-24049 | https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef https://github.com/pypa/wheel/releases/tag/0.46.2 |
| Quenary--tugtainer | Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue. | 2026-01-19 | 8.1 | CVE-2026-23846 | https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52 |
| Realtek Semiconductor Corp.--Realtek Wireless LAN Utility | Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47880 | ExploitDB-49646 Realtek Official Homepage VulnCheck Advisory: Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path |
| Rockstar Games--Rockstar Games Launcher | Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the RockstarService.exe with a malicious binary to create a new administrator user and gain elevated system access. | 2026-01-21 | 8.8 | CVE-2021-47852 | ExploitDB-49739 Rockstar Games Launcher Official Site VulnCheck Advisory: Rockstar Service - Insecure File Permissions |
| runtipi--runtipi | Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0. | 2026-01-22 | 8.1 | CVE-2026-24129 | https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9 https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a https://github.com/runtipi/runtipi/releases/tag/v4.7.0 |
| Sandboxie-Plus--Sandboxie Plus | Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-21 | 7.8 | CVE-2021-47883 | ExploitDB-49631 Vendor Homepage VulnCheck Advisory: Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path |
| Sangfor--Operation and Maintenance Management System | A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8.8 | CVE-2026-1324 | VDB-342300 | Sangfor Operation and Maintenance Management System SSH Protocol session SessionController os command injection VDB-342300 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735716 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/LX-LX88/cve/issues/20 |
| satndy--Aplikasi-Biro-Travel | Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access. | 2026-01-21 | 8.2 | CVE-2021-47848 | ExploitDB-49759 Aplikasi Biro Travel GitHub Repository VulnCheck Advisory: Blitar Tourism 1.0 - Authentication Bypass SQLi |
| Security--Winpakpro | WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe' to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47867 | ExploitDB-49691 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'ScheduleService' Unquoted Service Path |
| SEO Panel--SEO Panel | SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter. | 2026-01-21 | 7.1 | CVE-2021-47872 | ExploitDB-49666 Official SEO Panel Homepage SEO Panel 4.9.0 Release GitHub Issue #209 VulnCheck Advisory: SEO Panel < 4.9.0 - 'order_col' Blind SQL Injection |
| shazdeh--Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | 2026-01-24 | 7.5 | CVE-2026-1257 | https://www.wordfence.com/threat-intel/vulnerabilities/id/119fe499-88c4-413f-a44a-2b3acfdbdeb5?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L144 https://wordpress.org/plugins/administrative-shortcodes https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L144 |
| Shenzhen Tenda Technology Co.,Ltd.--Tenda D151 & D301 | Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication. | 2026-01-21 | 7.5 | CVE-2021-47802 | ExploitDB-49782 Tenda Official Vendor Homepage VulnCheck Advisory: Tenda D151 & D301 - Configuration Download |
| sibercii6-crypto--teklifolustur_app | teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch. | 2026-01-19 | 7.1 | CVE-2026-23843 | https://github.com/sibercii6-crypto/teklifolustur_app/security/advisories/GHSA-6h9r-mmg3-cg7m https://github.com/sibercii6-crypto/teklifolustur_app/commit/dd082a134a225b8dcd401b6224eead4fb183ea1c |
| SIPp--SIPp | A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability. | 2026-01-23 | 8.4 | CVE-2026-0710 | https://access.redhat.com/security/cve/CVE-2026-0710 RHBZ#2427788 |
| Softros Systems--LAN Messenger | Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\' to inject malicious executables and escalate privileges. | 2026-01-23 | 7.8 | CVE-2021-47889 | ExploitDB-49588 Vendor Homepage VulnCheck Advisory: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path |
| Softros Systems--LogonExpert | LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup. | 2026-01-23 | 7.8 | CVE-2021-47890 | ExploitDB-49586 Vendor Homepage Software Download Link VulnCheck Advisory: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path |
| Solvera Software Services Trade Inc.--Teknoera | Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025. | 2026-01-22 | 8.1 | CVE-2025-10856 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| Solvera Software Services Trade Inc.--Teknoera | Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025. | 2026-01-22 | 7.5 | CVE-2025-10855 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| specialk--User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 7.2 | CVE-2026-0800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec907bc-bd10-4dc5-be35-4f2aaf5ef444?source=cve https://plugins.trac.wordpress.org/changeset/3436859/user-submitted-posts |
| Tenda--AX1803 | A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is the function fromGetWifiGuestBasic of the file /goform/WifiGuestSet. Executing a manipulation of the argument guestWrlPwd/guestEn/guestSsid/hideSsid/guestSecurity can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. | 2026-01-22 | 8.8 | CVE-2026-1329 | VDB-342305 | Tenda AX1803 WifiGuestSet fromGetWifiGuestBasic stack-based overflow VDB-342305 | CTI Indicators (IOB, IOC, IOA) Submit #736063 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow Submit #736064 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736065 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736066 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736067 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) https://river-brow-763.notion.site/Tenda-AX1803-Buffer-Overflow-in-fromGetWifiGusetBasic-2e3a595a7aef80a78225db34317daa40#2e3a595a7aef801ab517e4af5631227a https://www.tenda.com.cn/ |
| The Textpattern Development Team--Textpattern | Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter. | 2026-01-23 | 8.8 | CVE-2021-47888 | ExploitDB-49620 Official Vendor Homepage Textpattern Software Download Page VulnCheck Advisory: Textpattern 4.8.3 - Remote code execution |
| Tosei--Online Store Management System | A vulnerability was determined in Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1192 | VDB-341777 | Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ imode_alldata.php command injection VDB-341777 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734205 | Tosei Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01 Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/keenhf9u2bnw5o6g |
| TOTOLINK--A3700R | A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1143 | VDB-341735 | TOTOLINK A3700R cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341735 | CTI Indicators (IOB, IOC, IOA) Submit #735502 | TOTOLINK A3700R V9.1.2u.5822_B20200513 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-A3700R-setWiFiEasyGuestCfg-2e353a41781f8057a244ead07d5eaaff?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-19 | 8.8 | CVE-2026-1155 | VDB-341749 | Totolink LR350 cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341749 | CTI Indicators (IOB, IOC, IOA) Submit #735718 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyGuestCfg-2e453a41781f8034bae3d1a11066a8fb?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-19 | 8.8 | CVE-2026-1156 | VDB-341750 | Totolink LR350 cstecgi.cgi setWiFiBasicCfg buffer overflow VDB-341750 | CTI Indicators (IOB, IOC, IOA) Submit #735722 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-01-19 | 8.8 | CVE-2026-1157 | VDB-341751 | Totolink LR350 cstecgi.cgi setWiFiEasyCfg buffer overflow VDB-341751 | CTI Indicators (IOB, IOC, IOA) Submit #735726 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyCfg-2e453a41781f80b7b53cef33c6a782aa?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1158 | VDB-341752 | Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-341752 | CTI Indicators (IOB, IOC, IOA) Submit #735728 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-01-22 | 8.8 | CVE-2026-1328 | VDB-342304 | Totolink NR1800X POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-342304 | CTI Indicators (IOB, IOC, IOA) Submit #735792 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWizardCfg-2e453a41781f80568a54c9368082fbe9?source=copy_link https://www.totolink.net/ |
| Unified Intents AB--Unified Remote | Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads. | 2026-01-23 | 9.8 | CVE-2021-47891 | ExploitDB-49587 Unified Remote Official Homepage Unified Remote Download Page VulnCheck Advisory: Unified Remote 3.9.0.2463 - Remote Code Execution |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1137 | VDB-341728 | UTT è¿›å– 520W formWebAuthGlobalConfig strcpy buffer overflow VDB-341728 | CTI Indicators (IOB, IOC, IOA) Submit #735296 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/32.md |
| UTT-- 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1138 | VDB-341729 | UTT è¿›å– 520W ConfigExceptQQ strcpy buffer overflow VDB-341729 | CTI Indicators (IOB, IOC, IOA) Submit #735298 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/33.md |
| UTT-- 520W | A vulnerability has been found in UTT è¿›å– 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1139 | VDB-341730 | UTT è¿›å– 520W ConfigExceptMSN strcpy buffer overflow VDB-341730 | CTI Indicators (IOB, IOC, IOA) Submit #735299 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/34.md |
| UTT-- 520W | A vulnerability was found in UTT è¿›å– 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigExceptAli. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1140 | VDB-341731 | UTT è¿›å– 520W ConfigExceptAli strcpy buffer overflow VDB-341731 | CTI Indicators (IOB, IOC, IOA) Submit #735300 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/35.md |
| UTT--HiPER 810 | A flaw has been found in UTT HiPER 810 1.7.4-141218. The impacted element is the function strcpy of the file /goform/setSysAdm. This manipulation of the argument passwd1 causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-19 | 9.8 | CVE-2026-1162 | VDB-341756 | UTT HiPER 810 setSysAdm strcpy buffer overflow VDB-341756 | CTI Indicators (IOB, IOC, IOA) Submit #736511 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Buffer Overflow https://github.com/cha0yang1/UTT810/blob/main/1.md https://github.com/cha0yang1/UTT810/blob/main/1.md#poc |
| VestaCP--VestaCP | VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. | 2026-01-21 | 7.2 | CVE-2021-47873 | ExploitDB-49662 VestaCP Official Vendor Homepage VestaCP Alternative Download Site VulnCheck Advisory: VestaCP < 0.9.8-25 - Stored Cross-Site Scripting |
| Vfsforgit--VFS for Git | VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem privileges during service startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47874 | ExploitDB-49661 Vendor Homepage VulnCheck Advisory: VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue. | 2026-01-21 | 8.8 | CVE-2026-22807 | https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr https://github.com/vllm-project/vllm/pull/32194 https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 https://github.com/vllm-project/vllm/releases/tag/v0.14.0 |
| wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site. | 2026-01-20 | 7.2 | CVE-2025-15380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve https://research.cleantalk.org/cve-2025-15380/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpmessiah--Frontis Blocks Block Library for the Block Editor | The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint. | 2026-01-24 | 7.2 | CVE-2026-0807 | https://www.wordfence.com/threat-intel/vulnerabilities/id/322e0a27-9119-4b46-a043-d3a68c4fcdc4?source=cve https://plugins.trac.wordpress.org/browser/frontis-blocks/trunk/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/browser/frontis-blocks/tags/1.1.4/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/changeset/3444616/ |
| wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups | The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce. | 2026-01-24 | 7.5 | CVE-2026-0911 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup |
| Yodinfo--Mini Mouse | Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands. | 2026-01-21 | 9.8 | CVE-2021-47851 | ExploitDB-49743 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 - Remote Code Execution |
| Yodinfo--Mini Mouse | Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. Attackers can retrieve sensitive files like win.ini and list contents of system directories such as C:\Users\Public by manipulating file and path parameters. | 2026-01-21 | 7.5 | CVE-2021-47850 | ExploitDB-49744 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 - Path Traversal |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1129 | VDB-341719 | Yonyou KSOA HTTP GET Parameter worksadd.jsp sql injection VDB-341719 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734557 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/11 |
| Yonyou--KSOA | A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1130 | VDB-341720 | Yonyou KSOA HTTP GET Parameter worksadd_plan.jsp sql injection VDB-341720 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734565 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/12 |
| Yonyou--KSOA | A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1131 | VDB-341721 | Yonyou KSOA HTTP GET Parameter save_catalog.jsp sql injection VDB-341721 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734566 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/13 |
| Yonyou--KSOA | A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /kmf/edit_folder.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument folderid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1132 | VDB-341722 | Yonyou KSOA HTTP GET Parameter edit_folder.jsp sql injection VDB-341722 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734568 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/15 |
| Yonyou--KSOA | A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1133 | VDB-341723 | Yonyou KSOA HTTP GET Parameter folder.jsp sql injection VDB-341723 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734576 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/16 |
| Yonyou--KSOA | A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1177 | VDB-341771 | Yonyou KSOA HTTP GET Parameter save_folder.jsp sql injection VDB-341771 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734577 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/17 |
| Yonyou--KSOA | A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1178 | VDB-341772 | Yonyou KSOA HTTP GET Parameter select.jsp sql injection VDB-341772 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734593 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/18 |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1179 | VDB-341773 | Yonyou KSOA HTTP GET Parameter user_popedom.jsp sql injection VDB-341773 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734594 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/19 |
| Zoom Communications Inc.--Zoom Node | A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access. | 2026-01-20 | 9.9 | CVE-2026-22844 | https://www.zoom.com/en/trust/security-bulletin/zsb-26001 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10web--Photo Gallery by 10Web Mobile-Friendly Image Gallery | The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. | 2026-01-21 | 5.3 | CVE-2026-1036 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4eb2ae42-584d-4da8-9184-461b5a37b7b6?source=cve https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.35/frontend/controllers/BWGControllerGalleryBox.php#L173 |
| adzbierajewski--Alex User Counter | The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41 https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41 |
| Aida Computer Information Technology Inc.--Hotel Guest Hotspot | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.5 | CVE-2025-4763 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| aiktp--AIKTP | The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator. | 2026-01-24 | 5.4 | CVE-2026-1103 | https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123 https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp |
| AlchemyCMS--alchemy_cms | Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`. | 2026-01-19 | 6.4 | CVE-2026-23885 | https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979 https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26 https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3 |
| Altium--AES | A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. | 2026-01-22 | 6.8 | CVE-2025-27379 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Designer | Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitive design data. | 2026-01-22 | 5.3 | CVE-2025-27377 | https://www.altium.com/platform/security-compliance/security-advisories |
| aminhashemy--GZSEO | The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14941 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a4d4d-5bfa-42fd-80b4-7a75ee79db19?source=cve https://plugins.trac.wordpress.org/browser/gzseo/tags/2.0.11/includes/class-gzseo-video-update.php?marks=112,365,369,370,563#L112 |
| andddd--WP-ClanWars | The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-24 | 4.9 | CVE-2026-0806 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65aa20e2-efc1-481a-8ed4-423d2420c3db?source=cve https://plugins.trac.wordpress.org/browser/wp-clanwars/trunk/classes/teams.class.php#L92 https://plugins.trac.wordpress.org/browser/wp-clanwars/tags/2.0.1/classes/teams.class.php#L92 https://cwe.mitre.org/data/definitions/89.html |
| AutomationDirect--CLICK Programmable Logic Controller | An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. | 2026-01-22 | 6.1 | CVE-2025-25051 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| AutomationDirect--CLICK Programmable Logic Controller | An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable. | 2026-01-22 | 6.1 | CVE-2025-67652 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | 2026-01-24 | 6.5 | CVE-2026-24401 | https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3 https://github.com/avahi/avahi/issues/501 https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524 |
| AWS--Firecracker | A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above. | 2026-01-23 | 6 | CVE-2026-1386 | https://aws.amazon.com/security/security-bulletins/2026-003-AWS/ https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1 https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2 https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue. | 2026-01-19 | 5.8 | CVE-2026-23845 | https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B&R Industrial Automation GmbH--Automation Runtime | An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent denial-of-service (DoS) conditions on affected devices. | 2026-01-19 | 6.8 | CVE-2025-11044 | https://www.br-automation.com/fileadmin/SA25P005-26597bd0.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users. | 2026-01-21 | 6.3 | CVE-2026-24047 | https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9 https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692 |
| Beckhoff Automation--TwinCAT.HMI.Server | On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page. | 2026-01-20 | 5.5 | CVE-2025-41768 | https://certvde.com/de/advisories/VDE-2025-106 |
| birkir--prime | A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1170 | VDB-341764 | birkir prime GraphQL API graphql information disclosure VDB-341764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731100 | birkir prime <=0.4.0 Sensitive Information Disclosure https://github.com/birkir/prime/issues/541 |
| birkir--prime | A flaw has been found in birkir prime up to 0.4.0.beta.0. Impacted is an unknown function of the file /graphql of the component GraphQL Field Handler. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1171 | VDB-341765 | birkir prime GraphQL Field graphql denial of service VDB-341765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731101 | birkir prime <=0.4.0 GraphQL Field Duplication Vulnerability https://github.com/birkir/prime/issues/542 |
| birkir--prime | A vulnerability has been found in birkir prime up to 0.4.0.beta.0. The affected element is an unknown function of the file /graphql of the component GraphQL Directive Handler. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1172 | VDB-341766 | birkir prime GraphQL Directive graphql denial of service VDB-341766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731103 | birkir prime <=0.4.0 Graphql Directive Overloading Vulnerability https://github.com/birkir/prime/issues/543 |
| birkir--prime | A vulnerability was found in birkir prime up to 0.4.0.beta.0. The impacted element is an unknown function of the file /graphql of the component GraphQL Array Based Query Batch Handler. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1173 | VDB-341767 | birkir prime GraphQL Array Based Query Batch graphql denial of service VDB-341767 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731104 | birkir prime <=0.4.0 Graphql Array Based Query Batching Vulnerability https://github.com/birkir/prime/issues/544 |
| birkir--prime | A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1174 | VDB-341768 | birkir prime GraphQL Alias graphql resource consumption VDB-341768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731105 | birkir prime <=0.4.0 GraphQL Aliases Overloading Vulnerability https://github.com/birkir/prime/issues/545 |
| birkir--prime | A vulnerability was identified in birkir prime up to 0.4.0.beta.0. This impacts an unknown function of the file /graphql of the component GraphQL Directive Handler. Such manipulation leads to information exposure through error message. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1175 | VDB-341769 | birkir prime GraphQL Directive graphql information exposure VDB-341769 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731106 | birkir prime <=0.4.0 GraphQL Directive Information Disclosure https://github.com/birkir/prime/issues/546 |
| birkir--prime | A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 4.3 | CVE-2026-1169 | VDB-341763 | birkir prime cross-site request forgery VDB-341763 | CTI Indicators (IOB, IOC) Submit #731287 | birkir prime <=0.4.0 CSRF https://github.com/birkir/prime/issues/547 |
| Bjskzy--Zhiyou ERP | A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 6.3 | CVE-2026-1218 | VDB-341908 | Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference VDB-341908 | CTI Indicators (IOB, IOC, IOA) Submit #735201 | Bjskzy Enterprise Resource Planning Software 11.0 XML External Entity Reference https://github.com/dingpotian/cve-vul/blob/main/Shikong-Zhiyou-ERP/Shikong-Zhiyou-ERP-XXE-RichClientService-initRCForm.md |
| BloofoxCMS--BloofoxCMS | BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies. | 2026-01-23 | 6.4 | CVE-2021-47906 | ExploitDB-49492 Official Vendor Homepage BloofoxCMS Software Releases VulnCheck Advisory: BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting |
| Bosch--Infotainment system ECU | The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 - 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server root certificate is not verified. As a result, an attacker may be able to impersonate a Redbend backend server using a self-signed certificate. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 6.5 | CVE-2025-32057 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| Bosch--Infotainment system ECU | The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 4 | CVE-2025-32056 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| brainstormforce--Custom Fonts Host Your Fonts Locally | The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file. | 2026-01-20 | 5.3 | CVE-2025-14351 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88 https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts |
| bramdnl--Star Review Manager | The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1076 | https://www.wordfence.com/threat-intel/vulnerabilities/id/54b6a141-eb4c-4cf0-a078-5b3aeda25466?source=cve https://plugins.trac.wordpress.org/browser/star-review-manager/trunk/admin/settings.php#L3 https://plugins.trac.wordpress.org/browser/star-review-manager/tags/1.2.2/admin/settings.php#L3 |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend. | 2026-01-20 | 4.9 | CVE-2026-1223 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| cantothemes--Canto Testimonials | The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1095 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f2ef250-f951-4408-ac42-3272ddf46530?source=cve https://plugins.trac.wordpress.org/browser/canto-testimonials/trunk/canto-testimonials.php#L132 https://plugins.trac.wordpress.org/browser/canto-testimonials/tags/1.0/canto-testimonials.php#L132 |
| Cisco--Cisco Intersight Virtual Appliance | A vulnerability in the read-only maintenance shell of Cisco Intersight Virtual Appliance could allow an authenticated, local attacker with administrative privileges to elevate privileges to root on the virtual appliance. This vulnerability is due to improper file permissions on configuration files for system accounts within the maintenance shell of the virtual appliance. An attacker could exploit this vulnerability by accessing the maintenance shell as a read-only administrator and manipulating system files to grant root privileges. A successful exploit could allow the attacker to elevate their privileges to root on the virtual appliance and gain full control of the appliance, giving them the ability to access sensitive information, modify workloads and configurations on the host system, and cause a denial of service (DoS). | 2026-01-21 | 6 | CVE-2026-20092 | cisco-sa-intersight-privesc-p6tBm6jk |
| Cisco--Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20055 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco--Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20109 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco--Cisco Ultra-Reliable Wireless Backhaul | A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compute Software could allow an unauthenticated, remote attacker to cause the SSH service to stop responding. This vulnerability exists because the SSH service lacks effective flood protection. An attacker could exploit this vulnerability by initiating a denial of service (DoS) attack against the SSH port. A successful exploit could allow the attacker to cause the SSH service to be unresponsive during the period of the DoS attack. All other operations remain stable during the attack. | 2026-01-21 | 5.3 | CVE-2026-20080 | cisco-sa-iec6400-Pem5uQ7v |
| Click2Magic--Click2Magic | Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests. | 2026-01-25 | 6.4 | CVE-2020-36931 | ExploitDB-49347 Vendor Homepage Official Product Website VulnCheck Advisory: Click2Magic 1.1.5 - Stored Cross-Site Scripting |
| codemacher--CM CSS Columns | The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1098 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dabcc606-04ab-4fb0-bf3c-d3ad915b8904?source=cve https://plugins.trac.wordpress.org/browser/cm-css-columns/trunk/includes/Shortcoder.php#L109 https://plugins.trac.wordpress.org/browser/cm-css-columns/tags/1.2.1/includes/Shortcoder.php#L109 |
| controlplaneio-fluxcd--flux-operator | The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. | 2026-01-21 | 5.3 | CVE-2026-23990 | https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0 |
| CRMEB--CRMEB | A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5.6 | CVE-2026-1203 | VDB-341789 | CRMEB JSON Token LoginServices.php remoteRegister improper authentication VDB-341789 | CTI Indicators (IOB, IOC, IOA) Submit #735349 | Zhongbang CRMEB v5.6.3 Authentication Bypass by https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md |
| cubewp1211--CubeWP Framework | The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-25 | 4.3 | CVE-2025-6461 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0edb6b7c-8a78-44b9-a5d6-b4a563c92484?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/modules/search/class-cubewp-search-ajax-hooks.php |
| Dell--Data Protection Advisor | Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.3 | CVE-2025-46699 | https://www.dell.com/support/kbdoc/en-us/000281732/dsa-2025-075-security-update-for-dell-data-protection-advisor-for-multiple-component-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 2026-01-23 | 6.5 | CVE-2026-22274 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2026-01-23 | 5.5 | CVE-2026-22276 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.4 | CVE-2026-22275 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 5 | CVE-2026-22280 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering. | 2026-01-22 | 4.3 | CVE-2026-22279 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13139 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12 |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13194 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab88f0cf-971f-43e1-b6b7-4eb55188ecc8?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/rename_survey.php#L12 |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13205 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1179303-fe7c-47f1-958c-2e4d2c574e4a?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/clone_survey.php#L8 |
| Discord--WebSocket API service | Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline." | 2026-01-22 | 4.3 | CVE-2026-24332 | https://xmrcat.org/discord-invisibility-bypass |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. Thus, this leads to a denial of service as it is responsible of SDP and ISO15118-20 servers. Version 2025.10.0 fixes the issue. | 2026-01-21 | 6.5 | CVE-2025-68135 | https://github.com/EVerest/everest-core/security/advisories/GHSA-g7mm-r6qp-96vh |
| EVerest--everest-core | EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue. | 2026-01-21 | 4.7 | CVE-2025-68138 | https://github.com/EVerest/everest-core/security/advisories/GHSA-f8c2-44c3-7v55 https://github.com/EVerest/libocpp/blob/89c7b62ec899db637f43b54f19af2c4af30cfa66/lib/ocpp/common/websocket/websocket_libwebsockets.cpp |
| EVerest--everest-core | EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value. | 2026-01-21 | 4.3 | CVE-2025-68139 | https://github.com/EVerest/everest-core/security/advisories/GHSA-wqh4-pj54-6xv9 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message submitted with a session ID of 0 is accepted, as it matches the registered value. This could allow unauthorized and anonymous indirect emission of MQTT messages and communication with V2G messages handlers, updating a session context. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.3 | CVE-2025-68140 | https://github.com/EVerest/everest-core/security/advisories/GHSA-w385-3jwp-x47x |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.2 | CVE-2026-23955 | https://github.com/EVerest/everest-core/security/advisories/GHSA-px57-jx97-hrff |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue. | 2026-01-19 | 5.3 | CVE-2026-23849 | https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889 |
| flatboy--FlatPM Ad Manager, AdSense and Custom Code | The FlatPM - Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0690 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14b89618-8a30-4b8c-9490-f05e8fa8ca8a?source=cve https://plugins.trac.wordpress.org/changeset/3434760/flatpm-wp |
| Foxit Software Inc.--na1.foxitesign.foxit.com | URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16. | 2026-01-20 | 6.1 | CVE-2025-66523 | https://www.foxit.com/support/security-bulletins.html |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue. | 2026-01-19 | 6.5 | CVE-2026-23848 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b |
| freemp--JavaScript Notifier | The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 4.4 | CVE-2026-1191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75 https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75 |
| GetSimple CMS--Custom JS Plugin | GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page. | 2026-01-21 | 5.3 | CVE-2021-47860 | ExploitDB-49816 Vendor Homepage GetSimple CMS GitHub Repository Researcher Disclosure ExploitDB-49712 VulnCheck Advisory: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection. | 2026-01-22 | 6.5 | CVE-2025-13335 | GitLab Issue #581060 HackerOne Bug Bounty Report #3418023 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests. | 2026-01-22 | 5.3 | CVE-2026-1102 | GitLab Issue #579746 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| hallsofmontezuma--Moderate Selected Posts | The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14907 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71 |
| HAMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information. | 2026-01-22 | 5.3 | CVE-2026-1332 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue. | 2026-01-22 | 5.4 | CVE-2026-24034 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-24036 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7 https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue. | 2026-01-22 | 4.3 | CVE-2026-24035 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3 https://drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/view?usp=sharing https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0. | 2026-01-22 | 4.8 | CVE-2026-24037 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rqw5-fjm4-rgvm https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0. | 2026-01-22 | 4.3 | CVE-2026-24039 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qx https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| IBM--Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36396 | https://www.ibm.com/support/pages/node/7256857 |
| IBM--Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | 2026-01-20 | 5.4 | CVE-2025-36397 | https://www.ibm.com/support/pages/node/7256857 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.4 | CVE-2025-36408 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36409 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. | 2026-01-20 | 5.3 | CVE-2025-36419 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--Aspera Console | IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user. | 2026-01-20 | 4.9 | CVE-2025-13925 | https://www.ibm.com/support/pages/node/7256544 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map. | 2026-01-20 | 5.5 | CVE-2025-36058 | https://www.ibm.com/support/pages/node/7256777 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls. | 2026-01-20 | 4.7 | CVE-2025-36059 | https://www.ibm.com/support/pages/node/7256777 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1719 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1722 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36063 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36065 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.1 | CVE-2025-36066 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36115 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36113 | https://www.ibm.com/support/pages/node/7257244 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue. | 2026-01-20 | 6.5 | CVE-2026-22770 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2. | 2026-01-22 | 6.5 | CVE-2026-23952 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue. | 2026-01-20 | 5.5 | CVE-2026-23874 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844 |
| iqonicdesign--KiviCare Clinic & Patient Management System (EHR) | The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files. | 2026-01-23 | 5.3 | CVE-2026-0927 | https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php |
| itsourcecode--Society Management System | A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 4.3 | CVE-2026-1134 | VDB-341724 | itsourcecode Society Management System expenses.php cross site scripting VDB-341724 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735156 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/7 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1135 | VDB-341725 | itsourcecode Society Management System activity.php cross site scripting VDB-341725 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735157 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/8 https://itsourcecode.com/ |
| jamiesage123--MyBB Thread Redirect Plugin | MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution. | 2026-01-23 | 6.1 | CVE-2018-25116 | ExploitDB-49505 Thread Redirect Plugin GitHub Repository VulnCheck Advisory: MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting |
| kohler--hotcrp | HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. | 2026-01-19 | 6.5 | CVE-2026-23878 | https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0 |
| kometschuh--Same Category Posts | The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 5.4 | CVE-2025-14797 | https://www.wordfence.com/threat-intel/vulnerabilities/id/70434876-4876-4da8-9af1-6f6ef5632f26?source=cve https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L665 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L639 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L707 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444428%40same-category-posts&new=3444428%40same-category-posts&sfp_email=&sfph_mail= |
| leadbi--LeadBI Plugin for WordPress | The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1189 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve https://wordpress.org/plugins/leadbi/ https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72 https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72 |
| legalweb--WP DSGVO Tools (GDPR) | The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lw_content_block' shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2026-0914 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4474c79b-f93a-4725-8345-ad5c5260913c?source=cve https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.35/public/shortcodes/content-block-shortcode.php#L17 https://plugins.trac.wordpress.org/changeset/3440083/ |
| lovor--Cookie consent for developers | The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1084 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16918a9-7b73-418d-adbd-aa17cb1d8cf8?source=cve https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/partials/ntg-cookie-consent-admin-display.php#L108 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/partials/ntg-cookie-consent-admin-display.php#L108 |
| magazine3--Schema & Structured Data for WP & AMP | The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14069 | https://www.wordfence.com/threat-intel/vulnerabilities/id/651a7036-d421-41b7-91db-102e60d8274e?source=cve https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/common-function.php#L1874 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/structure-admin.php#L2605 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/output/function.php#L171 https://plugins.trac.wordpress.org/changeset/3441582/schema-and-structured-data-for-wp/trunk?contextall=1&old=3429983&old_path=%2Fschema-and-structured-data-for-wp%2Ftrunk#file0 |
| mainichiweb--Friendly Functions for Welcart | The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1208 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6cc709e0-870b-4d12-9ac8-55da498768a1?source=cve https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L53 https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L58 https://plugins.trac.wordpress.org/changeset/3445305/ |
| marcinlawrowski--Wise Analytics | The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests. | 2026-01-24 | 5.3 | CVE-2025-14609 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d92c80cb-080b-4774-8c66-1d5cf68e771f?source=cve https://plugins.trac.wordpress.org/browser/wise-analytics/trunk/src/Endpoints/ReportsEndpoint.php#L43 https://plugins.trac.wordpress.org/browser/wise-analytics/tags/1.1.9/src/Endpoints/ReportsEndpoint.php#L43 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 6.5 | CVE-2026-23964 | https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 5.3 | CVE-2026-23961 | https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 4.3 | CVE-2026-23963 | https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-36556 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2272 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-44000 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2270 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-46270 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2258 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53516 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2254 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53707 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2267 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53854 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2265 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54157 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2256 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54495 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2255 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54778 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2257 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54814 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2261 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a URL to a malicious website to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54817 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2253 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54852 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2260 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54853 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2268 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54861 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2262 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-55071 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2259 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57786 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2269 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57787 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2266 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57881 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2263 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-58080 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2264 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the status parameter. | 2026-01-20 | 6.1 | CVE-2025-58087 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the archivedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58088 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the longtermdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58089 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the uploaddir parameter. | 2026-01-20 | 6.1 | CVE-2025-58090 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the thumbnaildir parameter. | 2026-01-20 | 6.1 | CVE-2025-58091 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpexe parameter. | 2026-01-20 | 6.1 | CVE-2025-58092 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58093 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the worklistsrc parameter. | 2026-01-20 | 6.1 | CVE-2025-58094 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the imagedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58095 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| mehtevas--Responsive Header Plugin | The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1300 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30821418-48c0-4bc6-8bf1-f558671bff24?source=cve https://downloads.wordpress.org/plugin/responsive-header.1.0.zip https://wordpress.org/plugins/responsive-header/ https://plugins.trac.wordpress.org/browser/responsive-header/trunk/rhp-settings.php#L103 https://plugins.trac.wordpress.org/browser/responsive-header/tags/1.0/rhp-settings.php#L103 |
| Mfscripts--YetiShare File Hosting Script | YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. | 2026-01-23 | 4 | CVE-2021-47899 | ExploitDB-49534 Vendor Homepage Software Product Page VulnCheck Advisory: YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability |
| MineAdmin--MineAdmin | A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 6.3 | CVE-2026-1193 | VDB-341778 | MineAdmin View view improper authorization VDB-341778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734270 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Logical flaw and vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/6 |
| MineAdmin--MineAdmin | A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 5.3 | CVE-2026-1194 | VDB-341779 | MineAdmin Swagger information disclosure VDB-341779 | CTI Indicators (IOB, IOC, TTP) Submit #734271 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Swagger Information Leakage Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/5 |
| MineAdmin--MineAdmin | A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5 | CVE-2026-1195 | VDB-341780 | MineAdmin JWT Token refresh data authenticity VDB-341780 | CTI Indicators (IOB, IOC, IOA) Submit #734272 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Flaw Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4 |
| neop--Postalicious | The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/512c9a2f-b023-4e28-8dd8-35795e68a8b3?source=cve https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L548 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L548 |
| nhomcaodem--Viet contact | The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-20 | 4.4 | CVE-2026-1045 | https://www.wordfence.com/threat-intel/vulnerabilities/id/131a6a35-e0d2-4613-8614-24bf11011098?source=cve https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-admin.php#L34 https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-content.php#L11 |
| norcross--WP Hello Bar | The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 4.4 | CVE-2026-1042 | https://www.wordfence.com/threat-intel/vulnerabilities/id/73b55486-adb8-40c6-9113-c98618d9cb00?source=cve https://downloads.wordpress.org/plugin/wp-hello-bar.1.02.zip https://wordpress.org/plugins/wp-hello-bar/ https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L214 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L222 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L152 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems for Windows contains a vulnerability in the application's DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service and information disclosure. | 2026-01-20 | 6.7 | CVE-2025-33231 | https://nvd.nist.gov/vuln/detail/CVE-2025-33231 https://www.cve.org/CVERecord?id=CVE-2025-33231 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| opencryptoki--opencryptoki | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication. | 2026-01-22 | 6.8 | CVE-2026-23893 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 |
| OpenEMR Foundation, Inc.--OpenEMR | OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance. | 2026-01-21 | 5.4 | CVE-2021-47817 | ExploitDB-49784 OpenEMR Official Website OpenEMR 5.0.2.1 Download SonarSource Vulnerability Analysis Vulnerability Demonstration Video VulnCheck Advisory: OpenEMR 5.0.2.1 - Remote Code Execution |
| opf--openproject | OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled. | 2026-01-19 | 6.5 | CVE-2026-23646 | https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.1 |
| opf--openproject | OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available. | 2026-01-19 | 4.3 | CVE-2026-23721 | https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h |
| Oracle Corporation--JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.26.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21946 | Oracle Advisory |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21936 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21949 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21950 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21968 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 5.3 | CVE-2026-21929 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21937 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21941 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21948 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21952 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21964 | Oracle Advisory |
| Oracle Corporation--Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21944 | Oracle Advisory |
| Oracle Corporation--Oracle APEX Sample Applications | Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle APEX Sample Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle APEX Sample Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle APEX Sample Applications accessible data as well as unauthorized read access to a subset of Oracle APEX Sample Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21931 | Oracle Advisory |
| Oracle Corporation--Oracle Applications DBA | Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 6.5 | CVE-2026-21960 | Oracle Advisory |
| Oracle Corporation--Oracle Configurator | Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21972 | Oracle Advisory |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with network access via Oracle Net to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java VM. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.5 | CVE-2026-21975 | Oracle Advisory |
| Oracle Corporation--Oracle FLEXCUBE Universal Banking | Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Relationship Pricing). Supported versions that are affected are 14.0.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21978 | Oracle Advisory |
| Oracle Corporation--Oracle Hospitality OPERA 5 Property Services | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21966 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21933 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 4.8 | CVE-2026-21925 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Coding | Vulnerability in the Oracle Life Sciences Central Coding product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Coding. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Coding accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Coding accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21980 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Designer accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21923 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21970 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21974 | Oracle Advisory |
| Oracle Corporation--Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N). | 2026-01-20 | 4.2 | CVE-2026-21922 | Oracle Advisory |
| Oracle Corporation--Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.2 | CVE-2026-21979 | Oracle Advisory |
| Oracle Corporation--Oracle Scripting | Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21943 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21927 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21928 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21935 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 5 | CVE-2026-21942 | Oracle Advisory |
| Oracle Corporation--Oracle Utilities Application Framework | Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Application Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Utilities Application Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21924 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21963 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21985 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). | 2026-01-20 | 4.6 | CVE-2026-21981 | Oracle Advisory |
| Oracle Corporation--Oracle Workflow | Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Workflow accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.9 | CVE-2026-21959 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise HCM Human Resources | Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21961 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21938 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21951 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21934 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise SCM Purchasing | Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21971 | Oracle Advisory |
| ostin654--JustClick registration plugin | The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2025-13676 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1420ec8-55e4-448d-8230-228d1e566b97?source=cve https://plugins.trac.wordpress.org/browser/justclick-subscriber/trunk/justclick.php#L154 https://plugins.trac.wordpress.org/browser/justclick-subscriber/tags/0.1/justclick.php#L154 |
| Palantir--com.palantir.aries:aries | A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. | 2026-01-22 | 6.6 | CVE-2025-68609 | https://palantir.safebase.us/?tcuUid=955a313a-1735-48a6-9fb4-e10404f14eb5 |
| pdfcrowd--Save as PDF Plugin by PDFCrowd | The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'options' parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known. | 2026-01-24 | 6.1 | CVE-2026-0862 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74172fcb-7428-464a-89f1-f1f3af50e361?source=cve https://plugins.trac.wordpress.org/changeset/3438577/save-as-pdf-by-pdfcrowd |
| peachpay--PeachPay Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) | The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders. | 2026-01-20 | 5.3 | CVE-2025-14978 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33 |
| PHPGurukul--News Portal | A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1141 | VDB-341733 | PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization VDB-341733 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735483 | PHPGurukul News Portal Project in PHP and MySql 1.0 Improper Access Controls https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul https://phpgurukul.com/ |
| PHPGurukul--News Portal | A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1142 | VDB-341734 | PHPGurukul News Portal cross-site request forgery VDB-341734 | CTI Indicators (IOB, IOC) Submit #735498 | PHPGurukul News Portal Project in PHP and MySql 1.0 Cross-Site Request Forgery https://github.com/Asim-QAZi/CSRF-Add-Subadmin-in-News-Portal-Project-in-PHP-and-MySql-in-PHPGurukul https://phpgurukul.com/ |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates. | 2026-01-23 | 6.5 | CVE-2025-14947 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bedfb712-faf6-4131-b254-e6d7c367f49f?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/includes/init.php#L373 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L131 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L285 https://plugins.trac.wordpress.org/changeset/3441541/ |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. | 2026-01-24 | 4.3 | CVE-2025-15516 | https://www.wordfence.com/threat-intel/vulnerabilities/id/218e4ed5-661b-49e1-8b23-457a93fd53fa?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.6.4/admin/admin.php#L1062 |
| pytest--pytest | pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges. | 2026-01-22 | 6.8 | CVE-2025-71176 | https://github.com/pytest-dev/pytest/issues/13669 https://www.openwall.com/lists/oss-security/2026/01/21/5 |
| quickjs-ng--quickjs | A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue. | 2026-01-19 | 6.3 | CVE-2026-1144 | VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free VDB-341737 | CTI Indicators (IOB, IOC, IOA) Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate) https://github.com/quickjs-ng/quickjs/issues/1301 https://github.com/quickjs-ng/quickjs/pull/1303 https://github.com/quickjs-ng/quickjs/issues/1302 https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 |
| quickjs-ng--quickjs | A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue. | 2026-01-19 | 6.3 | CVE-2026-1145 | VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow VDB-341738 | CTI Indicators (IOB, IOC, IOA) Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1305 https://github.com/quickjs-ng/quickjs/pull/1306 https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372 https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4 |
| rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14745 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd201949-d3a1-4fdb-bf98-252fbfd59380?source=cve https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Renderer.php#L209 https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator/trunk/core/src/Renderer.php |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. | 2026-01-21 | 6.5 | CVE-2025-14559 | https://access.redhat.com/security/cve/CVE-2025-14559 RHBZ#2421711 |
| Red Hat--Red Hat Build of Keycloak | A flaw was identified in Keycloak's OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk. | 2026-01-20 | 5.8 | CVE-2026-1180 | https://access.redhat.com/security/cve/CVE-2026-1180 RHBZ#2430781 |
| robiulawal40--Alpha Blocks | The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alpha_block_css' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14985 | https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175 |
| rtowebsites--AdminQuickbar | The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14630 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb70ad52-b964-4c56-98a2-06be375a79af?source=cve https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/Sidebar.php#L386 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/Sidebar.php#L386 |
| Sangfor--Operation and Maintenance Security Management System | A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.3 | CVE-2026-1325 | VDB-342301 | Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery VDB-342301 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736208 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.12 Unauthenticated Arbitrary Password Reset https://github.com/LX-LX88/cve/issues/21 |
| satollo--Newsletter Send awesome emails from WordPress | The Newsletter - Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | 2026-01-20 | 4.3 | CVE-2026-1051 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141 |
| sauravrox--Set Bulk Post Categories | The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1081 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9503f908-ead2-4c34-89b9-1e2348b90f3c?source=cve https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/trunk/set-bulk-categories.php#L36 https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/tags/1.1/set-bulk-categories.php#L36 |
| Seacms--Seacms | SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded. | 2026-01-25 | 6.4 | CVE-2020-36932 | ExploitDB-49251 Official Seacms Product Homepage VulnCheck Advisory: Seacms 11.1 - 'checkuser' Stored XSS |
| shahinurislam--Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries. | 2026-01-24 | 4.3 | CVE-2026-0687 | https://www.wordfence.com/threat-intel/vulnerabilities/id/872c61aa-c95c-4b86-8e39-8112bb117a0b?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/include/posttype.php#L29 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L375 |
| shahinurislam--Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1302 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb9ae252-7e5f-4dc0-a162-100493b81980?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L31 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L33 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L119 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L314 |
| shazdeh--Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1099 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de931a65-c898-4b1d-99ce-20dd646bcbb0?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L196 https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L196 |
| sigstore--rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-23831 | https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833 https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore--rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false. | 2026-01-22 | 5.3 | CVE-2026-24117 | https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore--sigstore | sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release. | 2026-01-23 | 5.8 | CVE-2026-24137 | https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e https://github.com/sigstore/sigstore/releases/tag/v1.10.4 |
| SourceCodester--E-Learning System | A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | 2026-01-19 | 4.3 | CVE-2026-1154 | VDB-341747 | SourceCodester E-Learning System Lesson index.php cross site scripting VDB-341747 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735855 | SourceCodester E-Learning System (CAIWL) 1.0 Stored HTML Injection Vulnerability https://gist.github.com/0xCaptainFahim/dada955760b424a851de12bccadee997 https://www.sourcecodester.com/ |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely. | 2026-01-19 | 4.3 | CVE-2026-1148 | VDB-341741 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System cross-site request forgery VDB-341741 | CTI Indicators (IOB, IOC) Submit #735545 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross-Site Request Forgery |
| specialk--Head Meta Data | The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9592bb6d-8e1d-4c89-addd-11c07272a628?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/head-meta-data/tags/20251118&new_path=/head-meta-data/tags/20260105 |
| Spring--Spring Security | The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. | 2026-01-22 | 5.3 | CVE-2025-22234 | Spring Security Advisory: CVE-2025-22234 |
| stefanristic--Simple Crypto Shortcodes | The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46 https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54 |
| stellarwp--The Events Calendar | The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action. | 2026-01-20 | 5.4 | CVE-2025-15043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1 |
| sumatrapdfreader--sumatrapdf | SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication. | 2026-01-22 | 5.5 | CVE-2026-23951 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp |
| swift-otel--swift-w3c-trace-context | Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`). | 2026-01-19 | 5.3 | CVE-2026-23886 | https://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e https://github.com/swift-otel/swift-otel/releases/tag/1.0.4 https://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5 |
| tandubhai--Alchemist Ajax Upload | The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments. | 2026-01-24 | 5.3 | CVE-2025-14629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve https://wordpress.org/plugins/alchemist-ajax-upload/ https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231 https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231 |
| Tapandsign Technologies Software Inc.--Tap&Sign | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS). This issue affects Tap&Sign: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 4.7 | CVE-2025-2204 | https://www.usom.gov.tr/bildirim/tr-26-0004 |
| teamzt--ZT Captcha | The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9d6da5-1598-4df4-8efc-306370446443?source=cve https://plugins.trac.wordpress.org/browser/zt-captcha/trunk/request/CaptchaRequest.php#L37 https://plugins.trac.wordpress.org/browser/zt-captcha/tags/1.0.4/request/CaptchaRequest.php#L37 |
| technical-laohu--mpay | A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 4.7 | CVE-2026-1152 | VDB-341745 | technical-laohu mpay QR Code Image unrestricted upload VDB-341745 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735775 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Arbitrary file upload vulnerability https://github.com/bdkuzma/vuln/issues/17 |
| technical-laohu--mpay | A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-01-19 | 4.3 | CVE-2026-1153 | VDB-341746 | technical-laohu mpay cross-site request forgery VDB-341746 | CTI Indicators (IOB, IOC) Submit #735789 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Cross-Site Request Forgery https://github.com/bdkuzma/vuln/issues/18 |
| tendenci--tendenci | Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12. | 2026-01-22 | 6.8 | CVE-2026-23946 | https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3 https://github.com/tendenci/tendenci/issues/867 https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1 https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636 https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e https://docs.python.org/3/library/pickle.html#restricting-globals https://github.com/advisories/GHSA-jqmc-fxxp-r589 https://github.com/tendenci/tendenci/releases/tag/v15.3.12 |
| themeruby--ThemeRuby Multi Authors Assign Multiple Writers to Posts | The ThemeRuby Multi Authors - Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1097 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca74bb1d-1954-4869-aaa9-bf66600cdf2a?source=cve https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/trunk/includes/class-tma-shortcodes.php#L76 https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/tags/1.0.0/includes/class-tma-shortcodes.php#L76 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site. | 2026-01-20 | 5.4 | CVE-2026-0548 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. | 2026-01-22 | 5.9 | CVE-2026-23991 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324 https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6 https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1 |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1. | 2026-01-22 | 5.9 | CVE-2026-23992 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525 https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0 |
| thimpress--LearnPress WordPress LMS Plugin for Create and Sell Online Courses | The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included. | 2026-01-20 | 5.3 | CVE-2025-14798 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb00ce4-aa82-4479-b7f6-79e7bde098c1?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L134 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L35 |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version | 2026-01-24 | 6.5 | CVE-2026-24420 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. | 2026-01-24 | 6.5 | CVE-2026-24421 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17. | 2026-01-24 | 5.3 | CVE-2026-24422 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc |
| Totolink--LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1149 | VDB-341742 | Totolink LR350 POST Request cstecgi.cgi setDiagnosisCfg command injection VDB-341742 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735695 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setDiagnosisCfg-2e453a41781f800d9ba9c6da80b55276?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 6.3 | CVE-2026-1150 | VDB-341743 | Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection VDB-341743 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735696 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setTracerouteCfg-2e453a41781f803494e3e4161a393487?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-22 | 6.3 | CVE-2026-1326 | VDB-342302 | Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection VDB-342302 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735787 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-22 | 6.3 | CVE-2026-1327 | VDB-342303 | Totolink NR1800X POST Request cstecgi.cgi setTracerouteCfg command injection VDB-342303 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735790 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setTracerouteCfg-2e453a41781f80df8ef9d32983758502?source=copy_link https://www.totolink.net/ |
| typemill--typemill | Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2. | 2026-01-23 | 5.4 | CVE-2026-24127 | https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c https://github.com/typemill/typemill/releases/tag/v2.19.2 |
| uncannyowl--Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin | The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page. | 2026-01-23 | 6.4 | CVE-2025-15522 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41c54e1b-69b9-4594-8f1e-7ef17f120791?source=cve https://wordpress.org/plugins/uncanny-automator https://plugins.trac.wordpress.org/browser/uncanny-automator/tags/6.10.0.2/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php#L128 https://plugins.trac.wordpress.org/changeset/3440408/uncanny-automator/trunk/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php |
| vektor-inc--VK Google Job Posting Manager | The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-12836 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419 https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468 |
| vintagedaddyo--MyBB Delete Account Plugin | MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons. | 2026-01-23 | 6.1 | CVE-2021-47905 | ExploitDB-49500 MyBB Delete Account Plugin Repository VulnCheck Advisory: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting |
| waqasvickey0071--WP Youtube Video Gallery | The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14906 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53709d2c-6522-40f0-9dc4-82517d3ee7b2?source=cve https://plugins.trac.wordpress.org/browser/wp-youtube-video-gallery/tags/1.0/admin/admin.php#L444 |
| wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16. | 2026-01-23 | 4.3 | CVE-2025-13921 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506 https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21 https://plugins.trac.wordpress.org/changeset/3426704/ https://plugins.trac.wordpress.org/changeset/3440068/ |
| wedevs--weMail Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation | The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files. | 2026-01-20 | 5.3 | CVE-2025-14348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d?source=cve https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79 https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1 |
| wizit--Wizit Gateway for WooCommerce | The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID. | 2026-01-24 | 5.3 | CVE-2025-14843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249 |
| wpchill--Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators. | 2026-01-19 | 5.4 | CVE-2025-15466 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0afcfe15-2d7d-4c96-a408-28f35577a927?source=cve https://plugins.trac.wordpress.org/changeset/3435746/ |
| wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership. | 2026-01-20 | 4.3 | CVE-2026-0554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve https://research.cleantalk.org/cve-2026-0554 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpdirectorykit--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles. | 2026-01-24 | 5.3 | CVE-2025-13920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8905dcc7-d3c8-4ae8-818c-df3e6ed2ad9c?source=cve https://plugins.trac.wordpress.org/changeset/3435482/wpdirectorykit |
| wpdiscover--Timeline Event History | The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2026-1127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ba779595-2674-4d84-bc41-889ae60bd6a4?source=cve https://plugins.trac.wordpress.org/browser/timeline-event-history/tags/3.2/includes/admin/class-timeline-wp-field-builder.php#L540 |
| wpgmaps--WP Go Maps (formerly WP Google Maps) | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings. | 2026-01-24 | 5.3 | CVE-2026-0593 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php |
| Yodinfo--Mini Mouse | Mini Mouse 9.3.0 contains a path traversal vulnerability that allows attackers to access sensitive system directories through the device information endpoint. Attackers can retrieve file lists from system directories like /usr, /etc, and /var by manipulating file path parameters in API requests. | 2026-01-21 | 6.2 | CVE-2021-47849 | ExploitDB-49747 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal |
| zainali99--MyBB Trending Widget Plugin | MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. | 2026-01-23 | 6.1 | CVE-2018-25132 | ExploitDB-49504 Trending Widget GitHub Repository VulnCheck Advisory: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting |
| zero1zerouk--Login Page Editor | The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f428b90d-8830-445d-b1f1-d8f860dae5cf?source=cve https://plugins.trac.wordpress.org/browser/login-page-editor/trunk/class/devotion.core.class.php#L50 https://plugins.trac.wordpress.org/browser/login-page-editor/tags/1.2/class/devotion.core.class.php#L50 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Athroniaeth--fastapi-api-key | FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks. | 2026-01-21 | 3.7 | CVE-2026-23996 | https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8 https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0 |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints. | 2026-01-21 | 3.5 | CVE-2026-24048 | https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9 https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb |
| Beetel--777VR1 | A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1407 | VDB-342796 | Beetel 777VR1 UART information disclosure VDB-342796 | CTI Indicators (IOB, IOC, TTP) Submit #736322 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 Cleartext Exposure of Sensitive Credentials in Boot Logs - UART https://gist.github.com/raghav20232023/253c041842f622d9c2cb6ee4111c2227 |
| Beetel--777VR1 | A weakness has been identified in Beetel 777VR1 up to 01.00.09/01.00.09_55. This vulnerability affects unknown code of the component UART Interface. Executing a manipulation can lead to weak password requirements. The physical device can be targeted for the attack. The attack requires a high level of complexity. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1408 | VDB-342797 | Beetel 777VR1 UART weak password VDB-342797 | CTI Indicators (IOB, IOC, TTP) Submit #739384 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-521 — Weak Password Requirements https://gist.github.com/raghav20232023/9c51cbd91f3798b1c10f3f30fb631633 |
| Beetel--777VR1 | A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1409 | VDB-342798 | Beetel 777VR1 UART excessive authentication VDB-342798 | CTI Indicators (IOB, IOC, TTP) Submit #739399 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-307 Improper Restriction - Excessive Authentication Attempts https://gist.github.com/raghav20232023/19900b427445adf37f64ae953611bfce |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 3.5 | CVE-2026-22281 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78. | 2026-01-23 | 2.7 | CVE-2026-24140 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6 |
| HCL Software--AION | HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application's overall security posture and increase its susceptibility to common web-based attacks. | 2026-01-19 | 3.5 | CVE-2025-55249 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 3.1 | CVE-2025-55251 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Weak Password Policy vulnerability. This can allow the use of easily guessable passwords, potentially resulting in unauthorized access | 2026-01-19 | 3.1 | CVE-2025-55252 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure. | 2026-01-19 | 2.8 | CVE-2025-52659 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 2.7 | CVE-2025-52660 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. | 2026-01-19 | 2.4 | CVE-2025-52661 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. | 2026-01-19 | 1.8 | CVE-2025-55250 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| IBM--ApplinX | IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security. | 2026-01-20 | 3.1 | CVE-2025-36410 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 2026-01-20 | 3.5 | CVE-2025-36411 | https://www.ibm.com/support/pages/node/7257446 |
| lcg0124--BootDo | A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2026-01-19 | 3.5 | CVE-2026-1136 | VDB-341726 | lcg0124 BootDo ContentController save cross site scripting VDB-341726 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735164 | BootDo V1.0 Cross Site Scripting https://github.com/webzzaa/CVE-/issues/4 |
| lcg0124--BootDo | A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. This manipulation of the argument Hostname causes open redirect. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2026-01-25 | 3.5 | CVE-2026-1406 | VDB-342794 | lcg0124 BootDo Host Header AccessControlFilter.java redirectToLogin VDB-342794 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736271 | BootDo web V1.0 Host header injection https://github.com/webzzaa/CVE-/issues/5 |
| libexpat project--libexpat | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | 2026-01-23 | 2.9 | CVE-2026-24515 | https://github.com/libexpat/libexpat/pull/1131 |
| lobehub--lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch. | 2026-01-19 | 3.7 | CVE-2026-23522 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6 |
| MineAdmin--MineAdmin | A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1196 | VDB-341781 | MineAdmin getFileInfoById information disclosure VDB-341781 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734273 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x getFileInfoById Arbitrary File Read Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/3 |
| MineAdmin--MineAdmin | A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1197 | VDB-341782 | MineAdmin downloadById information disclosure VDB-341782 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734274 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x downloadById Arbitrary File Download Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/2 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). | 2026-01-20 | 2.7 | CVE-2026-21965 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). | 2026-01-20 | 3.1 | CVE-2026-21947 | Oracle Advisory |
| Oracle Corporation--Oracle Zero Data Loss Recovery Appliance Software | Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). | 2026-01-20 | 3.1 | CVE-2026-21977 | Oracle Advisory |
| Oracle Corporation--Oracle ZFS Storage Appliance Kit | Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Filesystems). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 2.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). | 2026-01-20 | 2.3 | CVE-2026-21930 | Oracle Advisory |
| pbrong--hrms | A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1161 | VDB-341755 | pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting VDB-341755 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736510 | Pbrong hrms 1.0.1 Stored Cross Site Scripting Vulnerability https://github.com/TheLiao233/cve/issues/1 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak's refresh token rotation hardening can be undermined. | 2026-01-21 | 3.1 | CVE-2026-1035 | https://access.redhat.com/security/cve/CVE-2026-1035 RHBZ#2430314 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | 2026-01-21 | 2.7 | CVE-2025-14083 | https://access.redhat.com/security/cve/CVE-2025-14083 RHBZ#2419086 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). | 2026-01-21 | 3.7 | CVE-2026-0988 | https://access.redhat.com/security/cve/CVE-2026-0988 RHBZ#2429886 |
| roxnor--MetForm Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes). | 2026-01-24 | 3.7 | CVE-2026-0633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve https://plugins.trac.wordpress.org/changeset/3438419/metform |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1146 | VDB-341739 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting VDB-341739 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735543 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This affects an unknown part of the file /php/api_patient_schedule.php. Performing a manipulation of the argument Reason results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-01-19 | 3.5 | CVE-2026-1147 | VDB-341740 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_patient_schedule.php cross site scripting VDB-341740 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735544 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| technical-laohu--mpay | A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 2.4 | CVE-2026-1151 | VDB-341744 | technical-laohu mpay User Center cross site scripting VDB-341744 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735773 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Stored Cross-Site Scripting https://github.com/bdkuzma/vuln/issues/16 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 7-Zip--7-Zip | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743. | 2026-01-23 | not yet calculated | CVE-2025-11002 | ZDI-25-950 |
| AA-Team--SearchAzon | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery. This issue affects SearchAzon: from n/a through <= 1.4. | 2026-01-22 | not yet calculated | CVE-2026-22360 | https://patchstack.com/database/Wordpress/Plugin/searchazon/vulnerability/wordpress-searchazon-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| AA-Team--Wordpress Movies Bulk Importer | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery. This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22359 | https://patchstack.com/database/Wordpress/Plugin/movies%20importer/vulnerability/wordpress-wordpress-movies-bulk-importer-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Abacre--Abacre | Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | 2026-01-20 | not yet calculated | CVE-2025-67261 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214046/ |
| Abacre--Abacre | Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. | 2026-01-20 | not yet calculated | CVE-2025-67263 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214045/ |
| ABCdatos--Proteccin de datos – RGPD | Missing Authorization vulnerability in ABCdatos Protección de datos – RGPD proteccion-datos-rgpd allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Protección de datos – RGPD: from n/a through <= 0.68. | 2026-01-23 | not yet calculated | CVE-2026-24539 | https://patchstack.com/database/Wordpress/Plugin/proteccion-datos-rgpd/vulnerability/wordpress-proteccion-de-datos-rgpd-plugin-0-68-broken-access-control-vulnerability?_s_id=cve |
| Ability, Inc--Web Accessibility with Max Access | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS. This issue affects Web Accessibility with Max Access: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24629 | https://patchstack.com/database/Wordpress/Plugin/accessibility-toolbar/vulnerability/wordpress-web-accessibility-with-max-access-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AbsolutePlugins--Absolute Addons For Elementor | Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14. | 2026-01-22 | not yet calculated | CVE-2026-22468 | https://patchstack.com/database/Wordpress/Plugin/absolute-addons/vulnerability/wordpress-absolute-addons-for-elementor-plugin-1-0-14-broken-access-control-vulnerability?_s_id=cve |
| adamlabs--WordPress Photo Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS. This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0. | 2026-01-22 | not yet calculated | CVE-2025-53240 | https://patchstack.com/database/Wordpress/Plugin/photo-gallery-portfolio/vulnerability/wordpress-wordpress-photo-gallery-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| agmorpheus--Syntax Highlighter Compress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agmorpheus Syntax Highlighter Compress syntax-highlighter-compress allows Reflected XSS. This issue affects Syntax Highlighter Compress: from n/a through <= 3.0.83.3. | 2026-01-22 | not yet calculated | CVE-2025-68859 | https://patchstack.com/database/Wordpress/Plugin/syntax-highlighter-compress/vulnerability/wordpress-syntax-highlighter-compress-plugin-3-0-83-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AivahThemes--Anona | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68901 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| AivahThemes--Anona | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68902 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-download-vulnerability?_s_id=cve |
| AivahThemes--Anona | Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68903 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-php-object-injection-vulnerability?_s_id=cve |
| AivahThemes--Hostme v2 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Hostme v2 hostmev2 allows Path Traversal. This issue affects Hostme v2: from n/a through <= 7.0. | 2026-01-22 | not yet calculated | CVE-2025-68907 | https://patchstack.com/database/Wordpress/Theme/hostmev2/vulnerability/wordpress-hostme-v2-theme-7-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Alejandro--Quick Restaurant Reservations | Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations quick-restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quick Restaurant Reservations: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24529 | https://patchstack.com/database/Wordpress/Plugin/quick-restaurant-reservations/vulnerability/wordpress-quick-restaurant-reservations-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25568. | 2026-01-23 | not yet calculated | CVE-2026-0779 | ZDI-26-001 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28289. | 2026-01-23 | not yet calculated | CVE-2026-0780 | ZDI-26-002 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28290. | 2026-01-23 | not yet calculated | CVE-2026-0781 | ZDI-26-003 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291. | 2026-01-23 | not yet calculated | CVE-2026-0782 | ZDI-26-004 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292. | 2026-01-23 | not yet calculated | CVE-2026-0783 | ZDI-26-005 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293. | 2026-01-23 | not yet calculated | CVE-2026-0784 | ZDI-26-006 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294. | 2026-01-23 | not yet calculated | CVE-2026-0785 | ZDI-26-007 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295. | 2026-01-23 | not yet calculated | CVE-2026-0786 | ZDI-26-008 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SAC Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SAC module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28296. | 2026-01-23 | not yet calculated | CVE-2026-0787 | ZDI-26-009 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the functionality for viewing the syslog. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-28298. | 2026-01-23 | not yet calculated | CVE-2026-0788 | ZDI-26-010 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper management of sensitive information. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28297. | 2026-01-23 | not yet calculated | CVE-2026-0789 | ZDI-26-011 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299. | 2026-01-23 | not yet calculated | CVE-2026-0790 | ZDI-26-012 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Replaces Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Replaces header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28300. | 2026-01-23 | not yet calculated | CVE-2026-0791 | ZDI-26-013 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Alert-Info Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Alert-Info header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28301. | 2026-01-23 | not yet calculated | CVE-2026-0792 | ZDI-26-014 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter InformaCast Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InformaCast functionality. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28302. | 2026-01-23 | not yet calculated | CVE-2026-0793 | ZDI-26-015 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SIP calls. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28303. | 2026-01-23 | not yet calculated | CVE-2026-0794 | ZDI-26-016 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28321. | 2026-01-23 | not yet calculated | CVE-2026-0795 | ZDI-26-017 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322. | 2026-01-23 | not yet calculated | CVE-2026-0796 | ZDI-26-018 |
| AmentoTech--Workreap Core | Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse. This issue affects Workreap Core: from n/a through <= 3.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69101 | https://patchstack.com/database/Wordpress/Plugin/workreap_core/vulnerability/wordpress-workreap-core-plugin-3-4-0-account-takeover-vulnerability?_s_id=cve |
| AncoraThemes--DiveIt | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion. This issue affects DiveIt: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69059 | https://patchstack.com/database/Wordpress/Theme/diveit/vulnerability/wordpress-diveit-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Hobo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion. This issue affects Hobo: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-69077 | https://patchstack.com/database/Wordpress/Theme/hobo/vulnerability/wordpress-hobo-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Indoor Plants | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion. This issue affects Indoor Plants: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69066 | https://patchstack.com/database/Wordpress/Theme/indoor-plants/vulnerability/wordpress-indoor-plants-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Malta | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion. This issue affects Malta: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69078 | https://patchstack.com/database/Wordpress/Theme/malta/vulnerability/wordpress-malta-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Modern Housewife | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion. This issue affects Modern Housewife: from n/a through <= 1.0.12. | 2026-01-22 | not yet calculated | CVE-2025-69076 | https://patchstack.com/database/Wordpress/Theme/modernhousewife/vulnerability/wordpress-modern-housewife-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--MoveMe | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion. This issue affects MoveMe: from n/a through <= 1.2.15. | 2026-01-22 | not yet calculated | CVE-2025-69061 | https://patchstack.com/database/Wordpress/Theme/moveme/vulnerability/wordpress-moveme-theme-1-2-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Muji | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion. This issue affects Muji: from n/a through <= 1.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69068 | https://patchstack.com/database/Wordpress/Theme/muji/vulnerability/wordpress-muji-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--PartyMaker | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion. This issue affects PartyMaker: from n/a through <= 1.1.15. | 2026-01-22 | not yet calculated | CVE-2025-69058 | https://patchstack.com/database/Wordpress/Theme/partymaker/vulnerability/wordpress-partymaker-theme-1-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Pearson Specter | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion. This issue affects Pearson Specter: from n/a through <= 1.11.3. | 2026-01-22 | not yet calculated | CVE-2025-69074 | https://patchstack.com/database/Wordpress/Theme/pearsonspecter/vulnerability/wordpress-pearson-specter-theme-1-11-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Pets Land | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion. This issue affects Pets Land: from n/a through <= 1.2.8. | 2026-01-22 | not yet calculated | CVE-2025-69064 | https://patchstack.com/database/Wordpress/Theme/petsland/vulnerability/wordpress-pets-land-theme-1-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Piqes | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion. This issue affects Piqes: from n/a through <= 1.0.11. | 2026-01-22 | not yet calculated | CVE-2025-69073 | https://patchstack.com/database/Wordpress/Theme/piqes/vulnerability/wordpress-piqes-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Prider | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion. This issue affects Prider: from n/a through <= 1.1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69072 | https://patchstack.com/database/Wordpress/Theme/prider/vulnerability/wordpress-prider-theme-1-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Snow Mountain | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion. This issue affects Snow Mountain: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69065 | https://patchstack.com/database/Wordpress/Theme/snowmountain/vulnerability/wordpress-snow-mountain-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Tails | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion. This issue affects Tails: from n/a through <= 1.4.12. | 2026-01-22 | not yet calculated | CVE-2025-69067 | https://patchstack.com/database/Wordpress/Theme/tails/vulnerability/wordpress-tails-theme-1-4-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--TanTum | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion. This issue affects TanTum: from n/a through <= 1.1.13. | 2026-01-22 | not yet calculated | CVE-2025-69071 | https://patchstack.com/database/Wordpress/Theme/tantum/vulnerability/wordpress-tantum-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Tornados | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion. This issue affects Tornados: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2025-69070 | https://patchstack.com/database/Wordpress/Theme/tornados/vulnerability/wordpress-tornados-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--uReach | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion. This issue affects uReach: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69060 | https://patchstack.com/database/Wordpress/Theme/ureach/vulnerability/wordpress-ureach-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Weedles | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion. This issue affects Weedles: from n/a through <= 1.1.12. | 2026-01-22 | not yet calculated | CVE-2025-69062 | https://patchstack.com/database/Wordpress/Theme/weedles/vulnerability/wordpress-weedles-theme-1-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Yolox | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion. This issue affects Yolox: from n/a through <= 1.0.15. | 2026-01-22 | not yet calculated | CVE-2025-69075 | https://patchstack.com/database/Wordpress/Theme/yolox/vulnerability/wordpress-yolox-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| Angel Costa--WP SEO Search | Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery. This issue affects WP SEO Search: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-67626 | https://patchstack.com/database/Wordpress/Plugin/wp-seo-search/vulnerability/wordpress-wp-seo-search-plugin-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Anritsu--ShockLine | Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27833. | 2026-01-23 | not yet calculated | CVE-2025-15348 | ZDI-25-1199 |
| Anritsu--ShockLine | Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Anritsu ShockLine. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SCPI component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27315. | 2026-01-23 | not yet calculated | CVE-2025-15349 | ZDI-25-1200 |
| Anritsu--VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27039. | 2026-01-23 | not yet calculated | CVE-2025-15350 | ZDI-25-1201 |
| Anritsu--VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27040. | 2026-01-23 | not yet calculated | CVE-2025-15351 | ZDI-25-1202 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version. | 2026-01-21 | not yet calculated | CVE-2026-21852 | https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 |
| Antideo--Antideo Email Validator | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection. This issue affects Antideo Email Validator: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-68017 | https://patchstack.com/database/Wordpress/Plugin/antideo-email-validator/vulnerability/wordpress-antideo-email-validator-plugin-1-0-10-sql-injection-vulnerability?_s_id=cve |
| antoniobg--ABG Rich Pins | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS. This issue affects ABG Rich Pins: from n/a through <= 1.1. | 2026-01-23 | not yet calculated | CVE-2026-24558 | https://patchstack.com/database/Wordpress/Plugin/abg-rich-pins/vulnerability/wordpress-abg-rich-pins-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Apache Software Foundation--Apache Linkis | A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve | 2026-01-19 | not yet calculated | CVE-2025-29847 | https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057 |
| Apache Software Foundation--Apache Linkis | A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 - 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // ä¸å†è¾“出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-59355 | https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h |
| Apache Software Foundation--Apache Solr | Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1. | 2026-01-21 | not yet calculated | CVE-2026-22022 | https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn |
| Apache Software Foundation--Apache Solr | The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. | 2026-01-21 | not yet calculated | CVE-2026-22444 | https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m |
| Apple--Container | The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0. | 2026-01-22 | not yet calculated | CVE-2026-20613 | https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3 |
| Apryse--Apryse | A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover. | 2026-01-22 | not yet calculated | CVE-2025-56589 | http://apryse.com https://www.stratascale.com/resource/apryse-server-module-ssrf-lfi/ |
| Apryse--Apryse | An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server. | 2026-01-22 | not yet calculated | CVE-2025-56590 | http://apryse.com https://www.stratascale.com/resource/apryse-server-argument-injection-rce/ |
| Aptsys--Aptsys | An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions. | 2026-01-23 | not yet calculated | CVE-2025-52026 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| ApusTheme--Drone | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS. This issue affects Drone: from n/a through <= 1.40. | 2026-01-22 | not yet calculated | CVE-2025-49249 | https://patchstack.com/database/Wordpress/Theme/drone/vulnerability/wordpress-drone-theme-1-40-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| arduino--ArduinoCore-avr | ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards. ### Patches - The Fix is included starting from the `1.8.7` release available from the following link [ArduinoCore-avr v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing Commit is available at the following link [1a6a417f89c8901dad646efce74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ### References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer Overflow Vulnerability](https://support.arduino.cc/hc/en-us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/) | 2026-01-21 | not yet calculated | CVE-2025-69209 | https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm https://github.com/arduino/ArduinoCore-avr/pull/613 https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7 https://github.com/arduino/ArduinoCore-avr/releases/tag/1.8.7 https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability |
| Arevico--WP Simple Redirect | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS. This issue affects WP Simple Redirect: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-68884 | https://patchstack.com/database/Wordpress/Plugin/wp-simple-redirect/vulnerability/wordpress-wp-simple-redirect-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin, enabling API actions with the victim's privileges. Versions 3.6.17 and 3.7.8 fix the issue. | 2026-01-21 | not yet calculated | CVE-2026-23960 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82 https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 |
| Arksine--moonraker | Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0. | 2026-01-22 | not yet calculated | CVE-2026-24130 | https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42 |
| Arraytics--Eventin | Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection. This issue affects Eventin: from n/a through <= 4.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68047 | https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve |
| artbees--JupiterX Core | Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection. This issue affects JupiterX Core: from n/a through <= 4.10.1. | 2026-01-22 | not yet calculated | CVE-2025-50004 | https://patchstack.com/database/Wordpress/Plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-10-1-php-object-injection-vulnerability?_s_id=cve |
| artplacer--ArtPlacer Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS. This issue affects ArtPlacer Widget: from n/a through <= 2.23.1. | 2026-01-23 | not yet calculated | CVE-2026-24555 | https://patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-23-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Arul Prasad J--WP Quick Post Duplicator | Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Quick Post Duplicator: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2026-24387 | https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| Ashan Perera--LifePress | Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LifePress: from n/a through <= 2.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24563 | https://patchstack.com/database/Wordpress/Plugin/lifepress/vulnerability/wordpress-lifepress-plugin-2-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| Atomberg--Atomberg | An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame | 2026-01-22 | not yet calculated | CVE-2025-69822 | https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment/blob/main/Atomberg_Erica_SmatFan_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment.git |
| Automated Logic--WebCTRL | Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a recoverable format which makes them subject to password reuse attacks by malicious users. This issue affects WebCTRL: from 6.0 through 9.0; i-Vu: from 6.0 through 9.0. | 2026-01-22 | not yet calculated | CVE-2025-14295 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| averta--Depicter Slider | Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Depicter Slider: from n/a through <= 4.0.4. | 2026-01-22 | not yet calculated | CVE-2025-68558 | https://patchstack.com/database/Wordpress/Plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-4-0-4-broken-access-control-vulnerability?_s_id=cve |
| axiomthemes--Amuli | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion. This issue affects Amuli: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-50003 | https://patchstack.com/database/Wordpress/Theme/amuli/vulnerability/wordpress-amuli-theme-2-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| ayecode--Restaurante | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS. This issue affects Restaurante: from n/a through <= 3.0.7. | 2026-01-22 | not yet calculated | CVE-2025-52746 | https://patchstack.com/database/Wordpress/Theme/restaurante/vulnerability/wordpress-restaurante-theme-3-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bdtask--Isshue | HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter. | 2026-01-20 | not yet calculated | CVE-2025-40679 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/html-injection-isshue-bdtask |
| bdthemes--Element Pack Elementor Addons | Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Cross Site Request Forgery. This issue affects Element Pack Elementor Addons: from n/a through <= 8.3.13. | 2026-01-22 | not yet calculated | CVE-2025-31413 | https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-3-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Beam--Beam | Directory Traversal vulnerability in Beam beta9 v.0.1.552 allows a remote attacker to obtain sensitive information via the joinCleanPath function | 2026-01-22 | not yet calculated | CVE-2025-69820 | https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m https://github.com/ryotaromatsui/CVEs/tree/main/CVE-2025-69820 https://github.com/beam-cloud/beta9/blob/c1cd75e813cf7d53e916157d920099e89ef45caa/pkg/abstractions/volume/multipart.go#L45 |
| Beaver Builder--Beaver Builder | Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection. This issue affects Beaver Builder: from n/a through <= 2.9.4.1. | 2026-01-22 | not yet calculated | CVE-2025-69319 | https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve |
| Benjamin Intal--Stackable | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks allows Stored XSS. This issue affects Stackable: from n/a through <= 3.19.5. | 2026-01-22 | not yet calculated | CVE-2025-47500 | https://patchstack.com/database/Wordpress/Plugin/stackable-ultimate-gutenberg-blocks/vulnerability/wordpress-stackable-plugin-3-19-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bestwebsoft--Multilanguage by BestWebSoft | Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2. | 2026-01-23 | not yet calculated | CVE-2026-24598 | https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve |
| Binance--Binance | A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-20 | not yet calculated | CVE-2025-66692 | https://github.com/trustwallet/wallet-core/commit/5668c67 https://gist.github.com/inkman97/b791189338f73b758c31a7db3cd50c2d |
| binary-parser--binary-parser | A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. | 2026-01-20 | not yet calculated | CVE-2026-1245 | https://github.com/keichi/binary-parser/pull/283 https://github.com/keichi/binary-parser https://www.npmjs.com/package/binary-parser https://kb.cert.org/vuls/id/102648 |
| blazethemes--Blogistic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files. This issue affects Blogistic: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68909 | https://patchstack.com/database/Wordpress/Theme/blogistic/vulnerability/wordpress-blogistic-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--Blogmatic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic. This issue affects Blogmatic: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-62050 | https://patchstack.com/database/Wordpress/Theme/blogmatic/vulnerability/wordpress-blogmatic-theme-1-0-3-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--Blogzee | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files. This issue affects Blogzee: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68910 | https://patchstack.com/database/Wordpress/Theme/blogzee/vulnerability/wordpress-blogzee-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--News Event | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event. This issue affects News Event: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-62056 | https://patchstack.com/database/Wordpress/Theme/news-event/vulnerability/wordpress-news-event-theme-1-0-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| Booking Activities Team--Booking Activities | Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation. This issue affects Booking Activities: from n/a through <= 1.16.44. | 2026-01-22 | not yet calculated | CVE-2025-67953 | https://patchstack.com/database/Wordpress/Plugin/booking-activities/vulnerability/wordpress-booking-activities-plugin-1-16-44-privilege-escalation-vulnerability?_s_id=cve |
| bookingalgorithms--BA Book Everything | Missing Authorization vulnerability in bookingalgorithms BA Book Everything ba-book-everything allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BA Book Everything: from n/a through <= 1.8.16. | 2026-01-22 | not yet calculated | CVE-2026-24371 | https://patchstack.com/database/Wordpress/Plugin/ba-book-everything/vulnerability/wordpress-ba-book-everything-plugin-1-8-16-broken-access-control-vulnerability?_s_id=cve |
| Boopathi Rajan--WP Test Email | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS. This issue affects WP Test Email: from n/a through <= 1.1.7. | 2026-01-22 | not yet calculated | CVE-2025-69102 | https://patchstack.com/database/Wordpress/Plugin/wp-test-email/vulnerability/wordpress-wp-test-email-plugin-1-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Botble--TransP | HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter. | 2026-01-20 | not yet calculated | CVE-2026-1183 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products |
| boxnow--BOX NOW Delivery | Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BOX NOW Delivery: from n/a through <= 3.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24571 | https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| bPlugins--B Accordion | Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data. This issue affects B Accordion: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24565 | https://patchstack.com/database/Wordpress/Plugin/b-accordion/vulnerability/wordpress-b-accordion-plugin-2-0-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| bPlugins--B Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS. This issue affects B Slider: from n/a through <= 2.0.6. | 2026-01-22 | not yet calculated | CVE-2026-24383 | https://patchstack.com/database/Wordpress/Plugin/b-slider/vulnerability/wordpress-b-slider-plugin-2-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brecht--WP Recipe Maker | Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Recipe Maker: from n/a through <= 10.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24357 | https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve |
| briarinc--Anything Order by Terms | Missing Authorization vulnerability in briarinc Anything Order by Terms anything-order-by-terms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Anything Order by Terms: from n/a through <= 1.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24567 | https://patchstack.com/database/Wordpress/Plugin/anything-order-by-terms/vulnerability/wordpress-anything-order-by-terms-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve |
| Broadstreet--Broadstreet Ads | Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Broadstreet Ads: from n/a through <= 1.52.1. | 2026-01-22 | not yet calculated | CVE-2025-69311 | https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve |
| bslthemes--Myour | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion. This issue affects Myour: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2025-67615 | https://patchstack.com/database/Wordpress/Theme/myour/vulnerability/wordpress-myour-theme-1-5-1-local-file-inclusion-vulnerability?_s_id=cve |
| BZOTheme--Mella | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion. This issue affects Mella: from n/a through <= 1.2.29. | 2026-01-22 | not yet calculated | CVE-2025-67616 | https://patchstack.com/database/Wordpress/Theme/mella/vulnerability/wordpress-mella-theme-1-2-29-local-file-inclusion-vulnerability?_s_id=cve |
| cardpaysolutions--Payment Gateway Authorize.Net CIM for WooCommerce | Missing Authorization vulnerability in cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway Authorize.Net CIM for WooCommerce: from n/a through <= 2.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68013 | https://patchstack.com/database/Wordpress/Plugin/authnet-cim-for-woo/vulnerability/wordpress-payment-gateway-authorize-net-cim-for-woocommerce-plugin-2-1-2-arbitrary-content-deletion-vulnerability?_s_id=cve |
| Cargus eCommerce--Cargus | Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data. This issue affects Cargus: from n/a through <= 1.5.8. | 2026-01-23 | not yet calculated | CVE-2026-24589 | https://patchstack.com/database/Wordpress/Plugin/cargus/vulnerability/wordpress-cargus-plugin-1-5-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| Casey Bisson--wpCAS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS. This issue affects wpCAS: from n/a through <= 1.07. | 2026-01-22 | not yet calculated | CVE-2025-68858 | https://patchstack.com/database/Wordpress/Plugin/wpcas/vulnerability/wordpress-wpcas-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Chainlit--Chainlit | Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker's session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service. | 2026-01-19 | not yet calculated | CVE-2026-22218 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-arbitrary-file-read-via-project-element |
| Chainlit--Chainlit | Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider. | 2026-01-19 | not yet calculated | CVE-2026-22219 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element |
| Chandni Patel--WP MapIt | Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP MapIt: from n/a through <= 3.0.3. | 2026-01-22 | not yet calculated | CVE-2026-22466 | https://patchstack.com/database/Wordpress/Plugin/wp-mapit/vulnerability/wordpress-wp-mapit-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve |
| charmbracelet--soft-serve | Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3. | 2026-01-22 | not yet calculated | CVE-2026-24058 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 |
| Chris Simmons--WP BackItUp | Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP BackItUp: from n/a through <= 2.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68039 | https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| cjjparadoxmax--Synergy Project Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cjjparadoxmax Synergy Project Manager synergy-project-manager allows Stored XSS. This issue affects Synergy Project Manager: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2025-68898 | https://patchstack.com/database/Wordpress/Plugin/synergy-project-manager/vulnerability/wordpress-synergy-project-manager-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cleverplugins--SEO Booster | Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SEO Booster: from n/a through <= 6.1.8. | 2026-01-22 | not yet calculated | CVE-2025-68019 | https://patchstack.com/database/Wordpress/Plugin/seo-booster/vulnerability/wordpress-seo-booster-plugin-6-1-8-broken-access-control-vulnerability?_s_id=cve |
| CleverReach--CleverReach WP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection. This issue affects CleverReach® WP: from n/a through <= 1.5.22. | 2026-01-22 | not yet calculated | CVE-2025-68034 | https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve |
| CleverSoft--Anon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS. This issue affects Anon: from n/a through <= 2.2.10. | 2026-01-22 | not yet calculated | CVE-2025-67620 | https://patchstack.com/database/Wordpress/Theme/anon2x/vulnerability/wordpress-anon-theme-2-2-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cloudflare--Wrangler | SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version. | 2026-01-20 | not yet calculated | CVE-2026-0933 | https://github.com/cloudflare/workers-sdk |
| Cloudinary--Cloudinary | Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloudinary: from n/a through <= 3.3.0. | 2026-01-23 | not yet calculated | CVE-2026-24560 | https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve |
| CloudPanel--CLP Varnish Cache | Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CLP Varnish Cache: from n/a through <= 1.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24525 | https://patchstack.com/database/Wordpress/Plugin/clp-varnish-cache/vulnerability/wordpress-clp-varnish-cache-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| Codeless--Slider Templates | Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Slider Templates: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-68009 | https://patchstack.com/database/Wordpress/Plugin/slider-templates/vulnerability/wordpress-slider-templates-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| codisto--Omnichannel for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS. This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65. | 2026-01-22 | not yet calculated | CVE-2025-68041 | https://patchstack.com/database/Wordpress/Plugin/codistoconnect/vulnerability/wordpress-omnichannel-for-woocommerce-plugin-1-3-65-cross-site-scripting-xss-vulnerability?_s_id=cve |
| COP--UX Flat | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in COP UX Flat ux-flat allows Stored XSS. This issue affects UX Flat: from n/a through <= 5.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24576 | https://patchstack.com/database/Wordpress/Plugin/ux-flat/vulnerability/wordpress-ux-flat-plugin-5-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| copier-org--copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copier's default setting). Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23968 | https://github.com/copier-org/copier/security/advisories/GHSA-xjhm-gp88-8pfx https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 |
| copier-org--copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with `_preserve_symlinks: true` and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23986 | https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 https://github.com/copier-org/copier/releases/tag/v9.11.2 |
| coreshop--CoreShop | CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue. | 2026-01-22 | not yet calculated | CVE-2026-23959 | https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2 https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2 https://github.com/coreshop/CoreShop/releases/tag/4.1.9 |
| cozythemes--HomeLancer | Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HomeLancer: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-49375 | https://patchstack.com/database/Wordpress/Theme/homelancer/vulnerability/wordpress-homelancer-theme-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Craig Hewitt--Seriously Simple Podcasting | Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | 2026-01-22 | not yet calculated | CVE-2026-24360 | https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| crawlchat--crawlchat | CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23875 | https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8 |
| CridioStudio--ListingPro Reviews | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS. This issue affects ListingPro Reviews: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69051 | https://patchstack.com/database/Wordpress/Plugin/listingpro-reviews/vulnerability/wordpress-listingpro-reviews-theme-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CRM Perks--Integration for Contact Form 7 HubSpot | Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24559 | https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Crocoblock--JetEngine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS. This issue affects JetEngine: from n/a through <= 3.7.7. | 2026-01-22 | not yet calculated | CVE-2025-67923 | https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2026-23516 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70 |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges. | 2026-01-21 | not yet calculated | CVE-2026-23526 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7 https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4 |
| D-Link--D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system. | 2026-01-21 | not yet calculated | CVE-2026-23754 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover |
| D-Link--D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloading. An attacker can supply a malicious version.dll alongside the legitimate installer so that, when a victim runs the installer and approves the UAC prompt, attacker-controlled code executes with administrator privileges. This can lead to full system compromise. | 2026-01-21 | not yet calculated | CVE-2026-23755 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-installer-dll-preloading-via-uncontrolled-search-path |
| daap-daap | NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. | 2026-01-20 | not yet calculated | CVE-2025-57155 | https://github.com/owntone/owntone-server/commit/d857116e4143a500d6a1ea13f4baa057ba3b0028 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp--dacp | NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). | 2026-01-20 | not yet calculated | CVE-2025-57156 | https://github.com/owntone/owntone-server/issues/1907 https://github.com/owntone/owntone-server/commit/5e4d40ee03ae22ab79534bb1410fa9db96c9fabd https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp--dacp | A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63648 | https://github.com/owntone/owntone-server/issues/1933 https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Damian--WP Popups | Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Popups: from n/a through <= 2.2.0.3. | 2026-01-23 | not yet calculated | CVE-2026-24616 | https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| Daniel Iser--Easy Modal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS. This issue affects Easy Modal: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24617 | https://patchstack.com/database/Wordpress/Plugin/easy-modal/vulnerability/wordpress-easy-modal-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| dataease--dataease | Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user's password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin's password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available. | 2026-01-22 | not yet calculated | CVE-2026-23958 | https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j |
| dataease--SQLBot | SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available. | 2026-01-21 | not yet calculated | CVE-2025-69285 | https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv https://github.com/dataease/SQLBot/releases/tag/v1.5.0 |
| Deetronix--Booking Ultra Pro | Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data. This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. | 2026-01-22 | not yet calculated | CVE-2025-68006 | https://patchstack.com/database/Wordpress/Plugin/booking-ultra-pro/vulnerability/wordpress-booking-ultra-pro-plugin-1-1-23-sensitive-data-exposure-vulnerability?_s_id=cve |
| Design--Stylish Cost Calculator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows Stored XSS. This issue affects Stylish Cost Calculator: from n/a through <= 8.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24630 | https://patchstack.com/database/Wordpress/Plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designingmedia--Hostiko | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS. This issue affects Hostiko: from n/a through < 94.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67949 | https://patchstack.com/database/Wordpress/Theme/hostiko/vulnerability/wordpress-hostiko-theme-94-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designthemes--Kids Heaven | Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection. This issue affects Kids Heaven: from n/a through <= 3.2. | 2026-01-22 | not yet calculated | CVE-2025-67619 | https://patchstack.com/database/Wordpress/Theme/kids-world/vulnerability/wordpress-kids-heaven-theme-3-2-php-object-injection-vulnerability?_s_id=cve |
| designthemes--OneLife | Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection. This issue affects OneLife: from n/a through <= 3.9. | 2026-01-22 | not yet calculated | CVE-2025-69002 | https://patchstack.com/database/Wordpress/Theme/onelife/vulnerability/wordpress-onelife-theme-3-9-php-object-injection-vulnerability?_s_id=cve |
| designthemes--Reservation Plugin | Missing Authorization vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Reservation Plugin: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69095 | https://patchstack.com/database/Wordpress/Plugin/dt-reservation-plugin/vulnerability/wordpress-reservation-plugin-plugin-1-7-settings-change-vulnerability?_s_id=cve |
| designthemes--Vivagh | Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection. This issue affects Vivagh: from n/a through <= 2.4. | 2026-01-22 | not yet calculated | CVE-2025-68899 | https://patchstack.com/database/Wordpress/Theme/vivagh/vulnerability/wordpress-vivagh-theme-2-4-php-object-injection-vulnerability?_s_id=cve |
| Devolutions--Server | SQL Injection vulnerability in remote-sessions in Devolutions Server. This issue affects Devolutions Server 2025.3.1 through 2025.3.12 | 2026-01-19 | not yet calculated | CVE-2026-0610 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| Devolutions--Server | Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules. This issue affects Server: from 2025.3.1 through 2025.3.12. | 2026-01-19 | not yet calculated | CVE-2026-1007 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| DevsBlink--EduBlink Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion. This issue affects EduBlink Core: from n/a through <= 2.0.7. | 2026-01-23 | not yet calculated | CVE-2026-24635 | https://patchstack.com/database/Wordpress/Plugin/edublink-core/vulnerability/wordpress-edublink-core-plugin-2-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| Devsbrain--Flex QR Code Generator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Devsbrain Flex QR Code Generator flex-qr-code-generator allows DOM-Based XSS. This issue affects Flex QR Code Generator: from n/a through <= 1.2.8. | 2026-01-23 | not yet calculated | CVE-2026-24614 | https://patchstack.com/database/Wordpress/Plugin/flex-qr-code-generator/vulnerability/wordpress-flex-qr-code-generator-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dimitri Grassi--Salon booking system | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data. This issue affects Salon booking system: from n/a through <= 10.30.3. | 2026-01-22 | not yet calculated | CVE-2025-67954 | https://patchstack.com/database/Wordpress/Plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| DioxusLabs--components | Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue. | 2026-01-23 | not yet calculated | CVE-2026-24474 | https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69 https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a |
| Discord--Client | Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the discord_rpc module. The product loads a file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27057. | 2026-01-23 | not yet calculated | CVE-2026-0776 | ZDI-26-040 |
| Dmytro Shteflyuk--CodeColorer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS. This issue affects CodeColorer: from n/a through <= 0.10.1. | 2026-01-22 | not yet calculated | CVE-2025-68012 | https://patchstack.com/database/Wordpress/Plugin/codecolorer/vulnerability/wordpress-codecolorer-plugin-0-10-1-stored-cross-site-scripting-xss-vulnerability?_s_id=cve |
| docmost--docmost | Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0. | 2026-01-21 | not yet calculated | CVE-2026-23630 | https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| docopt.cpp--docopt.cpp | A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS). | 2026-01-23 | not yet calculated | CVE-2025-67125 | https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd https://github.com/docopt/docopt.cpp |
| Doogee--Doogee | An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710 | 2026-01-23 | not yet calculated | CVE-2025-67264 | http://doogee.com https://github.com/Skorpion96/unisoc-su/blob/main/CVE-2025-67264.md |
| Dotstore--Fraud Prevention For Woocommerce | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data. This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24553 | https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| dragonflyoss--dragonfly | Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1. | 2026-01-22 | not yet calculated | CVE-2026-24124 | https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f |
| Dynamicweb--Dynamicweb | An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). | 2026-01-23 | not yet calculated | CVE-2022-25369 | https://www.dynamicweb.com/resources/downloads?Category=Releases https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369 |
| e-plugins--Final User | Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69187 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Final User | Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69293 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--fitness-trainer | Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects fitness-trainer: from n/a through <= 1.7.1. | 2026-01-22 | not yet calculated | CVE-2025-69188 | https://patchstack.com/database/Wordpress/Plugin/fitness-trainer/vulnerability/wordpress-fitness-trainer-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-68057 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69183 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69186 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-68059 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Hotel Listing | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS. This issue affects Hotel Listing: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69056 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e-plugins--Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69185 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3..4. | 2026-01-22 | not yet calculated | CVE-2025-68058 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Institutions Directory | Incorrect Privilege Assignment vulnerability in e-plugins Institutions Directory institutions-directory allows Privilege Escalation. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69182 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69184 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67966 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67967 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69181 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Listihub | Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Listihub: from n/a through <= 1.0.6. | 2026-01-22 | not yet calculated | CVE-2025-69190 | https://patchstack.com/database/Wordpress/Theme/listihub/vulnerability/wordpress-listihub-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--ListingHub | Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingHub: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69191 | https://patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Real Estate Pro | Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Real Estate Pro: from n/a through <= 2.1.5. | 2026-01-22 | not yet calculated | CVE-2025-69192 | https://patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--WP Membership | Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69193 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--WP Membership | Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69292 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-privilege-escalation-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24580 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24613 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve |
| Edge-Themes--Eldon | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion. This issue affects Eldon: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-69057 | https://patchstack.com/database/Wordpress/Theme/eldon/vulnerability/wordpress-eldon-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Edge-Themes--Overworld | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion. This issue affects Overworld: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-69050 | https://patchstack.com/database/Wordpress/Theme/overworld/vulnerability/wordpress-overworld-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Laurent | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion. This issue affects Laurent: from n/a through <= 3.1. | 2026-01-23 | not yet calculated | CVE-2026-24609 | https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Laurent Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion. This issue affects Laurent Core: from n/a through <= 2.4.1. | 2026-01-23 | not yet calculated | CVE-2026-24608 | https://patchstack.com/database/Wordpress/Plugin/laurent-core/vulnerability/wordpress-laurent-core-plugin-2-4-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Search & Go | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion. This issue affects Search & Go: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69005 | https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Sweet Jane | Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sweet Jane: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22426 | https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Elated-Themes--Tbel | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion. This issue affects Töbel: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-69049 | https://patchstack.com/database/Wordpress/Theme/tobel/vulnerability/wordpress-toebel-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--The Aisle | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion. This issue affects The Aisle: from n/a through < 2.9.1. | 2026-01-22 | not yet calculated | CVE-2025-67941 | https://patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-1-local-file-inclusion-vulnerability?_s_id=cve |
| Element Invader--Element Invader – Template Kits for Elementor | Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Element Invader – Template Kits for Elementor: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24386 | https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Enel X--JuiceBox 40 | Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23285. | 2026-01-23 | not yet calculated | CVE-2026-0778 | ZDI-26-041 |
| esphome--esphome | ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices. | 2026-01-19 | not yet calculated | CVE-2026-23833 | https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx https://github.com/esphome/esphome/pull/13306 https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6 https://esphome.io/guides/security_best_practices |
| Essekia--Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.2. | 2026-01-23 | not yet calculated | CVE-2026-24524 | https://patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-2-broken-access-control-vulnerability?_s_id=cve |
| Event Espresso--Event Espresso 4 Decaf | Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf. | 2026-01-22 | not yet calculated | CVE-2025-68007 | https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. Malformed SLIP frames on the serial link can reach `is_message_crc_correct` with `vec.size() < 2` (only via the multi-message path), causing an out-of-bounds read before CRC verification and `pop_back` underflow. Therefore, an attacker controlling the serial input can reliably crash the process. Version 2025.12.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2025-68132 | https://github.com/EVerest/everest-core/security/advisories/GHSA-79gc-m8w6-9hx5 https://github.com/EVerest/everest-core/commit/b8139b95144e3fe0082789b7fafe4e532ee494a1 |
| ExpressTech Systems--Quiz And Survey Master | Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz And Survey Master: from n/a through <= 10.3.3. | 2026-01-22 | not yet calculated | CVE-2026-24358 | https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve |
| expresstechsoftware--MemberPress Discord Addon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on allows Reflected XSS. This issue affects MemberPress Discord Addon: from n/a through <= 1.1.4. | 2026-01-22 | not yet calculated | CVE-2025-68838 | https://patchstack.com/database/Wordpress/Plugin/expresstechsoftwares-memberpress-discord-add-on/vulnerability/wordpress-memberpress-discord-addon-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| external-secrets--external-secrets | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. | 2026-01-21 | not yet calculated | CVE-2026-22822 | https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2 https://github.com/external-secrets/external-secrets/issues/5690 https://github.com/external-secrets/external-secrets/pull/3895 https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0 |
| extremeidea--bidorbuy Store Integrator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Reflected XSS. This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. | 2026-01-22 | not yet calculated | CVE-2025-68883 | https://patchstack.com/database/Wordpress/Plugin/bidorbuystoreintegrator/vulnerability/wordpress-bidorbuy-store-integrator-plugin-2-12-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Farost--Energia | Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server. This issue affects Energia: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-50002 | https://patchstack.com/database/Wordpress/Theme/energia/vulnerability/wordpress-energia-theme-1-1-2-arbitrary-file-upload-vulnerability?_s_id=cve |
| favethemes--Homey Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS. This issue affects Homey Core: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67964 | https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| favethemes--Houzez Theme - Functionality | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS. This issue affects Houzez Theme - Functionality: from n/a through <= 4.2.6. | 2026-01-22 | not yet calculated | CVE-2026-24355 | https://patchstack.com/database/Wordpress/Plugin/houzez-theme-functionality/vulnerability/wordpress-houzez-theme-functionality-plugin-4-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FireStorm Plugins--FireStorm Professional Real Estate | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection. This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11. | 2026-01-22 | not yet calculated | CVE-2026-22470 | https://patchstack.com/database/Wordpress/Plugin/fs-real-estate-plugin/vulnerability/wordpress-firestorm-professional-real-estate-plugin-2-7-11-sql-injection-vulnerability?_s_id=cve |
| fleetdm--fleet | fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-22808 | https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j |
| fleetdm--fleet | Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet's debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege "Observer" role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround. | 2026-01-21 | not yet calculated | CVE-2026-23517 | https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6 https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317 |
| fleetdm--fleet | Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-23518 | https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257 |
| flexostudio--flexo-posts-manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS. This issue affects flexo-posts-manager: from n/a through <= 1.0001. | 2026-01-22 | not yet calculated | CVE-2025-52762 | https://patchstack.com/database/Wordpress/Plugin/flexo-posts-manager/vulnerability/wordpress-flexo-posts-manager-plugin-1-0001-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce | Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69052 | https://patchstack.com/database/Wordpress/Plugin/registration-login-with-mobile-phone-number/vulnerability/wordpress-registration-login-with-mobile-phone-number-for-woocommerce-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve |
| FooEvents--FooEvents for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection. This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. | 2026-01-22 | not yet calculated | CVE-2025-69045 | https://patchstack.com/database/Wordpress/Plugin/fooevents/vulnerability/wordpress-fooevents-for-woocommerce-plugin-1-20-4-sql-injection-vulnerability?_s_id=cve |
| foreverpinetree--TheNa | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS. This issue affects TheNa: from n/a through <= 1.5.5. | 2026-01-22 | not yet calculated | CVE-2025-67614 | https://patchstack.com/database/Wordpress/Theme/thena/vulnerability/wordpress-thena-theme-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Foundation Agents--MetaGPT | Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121. | 2026-01-23 | not yet calculated | CVE-2026-0760 | ZDI-26-026 |
| Foundation Agents--MetaGPT | Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the actionoutput_str_to_mapping function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28124. | 2026-01-23 | not yet calculated | CVE-2026-0761 | ZDI-26-027 |
| Framelink--Figma MCP Server | Framelink Figma MCP Server fetchWithRetry Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Framelink Figma MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the fetchWithRetry method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27877. | 2026-01-23 | not yet calculated | CVE-2025-15061 | ZDI-25-1197 vendor-provided URL |
| Frank Corso--Quote Master | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS. This issue affects Quote Master: from n/a through <= 7.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68849 | https://patchstack.com/database/Wordpress/Plugin/quote-master/vulnerability/wordpress-quote-master-plugin-7-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view. | 2026-01-23 | not yet calculated | CVE-2026-24139 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7 https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280 |
| Free5GC--Free5GC | An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope. | 2026-01-23 | not yet calculated | CVE-2025-66719 | https://github.com/free5gc/free5gc/issues/736 https://github.com/free5gc/nrf/pull/73 |
| Free5GC--Free5GC | Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId. | 2026-01-23 | not yet calculated | CVE-2025-66720 | https://github.com/free5gc/free5gc/issues/726 https://github.com/free5gc/pcf/pull/57 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23530 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23531 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client's `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23532 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23533 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23534 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23732 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23883 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L312-L319 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L340 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/pointer.c#L164-L174 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23884 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| Fsas Technologies Inc.--ServerView Agents for Windows | The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed. | 2026-01-21 | not yet calculated | CVE-2026-24016 | https://www.fsastech.com/ja-jp/resources/security/2026/0121.html https://jvn.jp/en/jp/JVN65211823/ |
| fuelthemes--North | Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69099 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-php-object-injection-vulnerability?_s_id=cve |
| fuelthemes--North | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69100 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes--Werkstatt | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion. This issue affects Werkstatt: from n/a through < 4.8.3. | 2026-01-22 | not yet calculated | CVE-2025-69314 | https://patchstack.com/database/Wordpress/Theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-8-3-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes--WerkStatt Plugin | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion. This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. | 2026-01-22 | not yet calculated | CVE-2025-63017 | https://patchstack.com/database/Wordpress/Plugin/werkstatt-plugin/vulnerability/wordpress-werkstatt-plugin-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| garidium--g-FFL Checkout | Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server. This issue affects g-FFL Checkout: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-68001 | https://patchstack.com/database/Wordpress/Plugin/g-ffl-checkout/vulnerability/wordpress-g-ffl-checkout-plugin-2-1-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Gemini MCP Tool--gemini-mcp-tool | gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27783. | 2026-01-23 | not yet calculated | CVE-2026-0755 | ZDI-26-021 |
| gemsloyalty--gemsloyalty | A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52022 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52023 | http://aptsys.com http://gemscms.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | 2026-01-23 | not yet calculated | CVE-2025-52024 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification. | 2026-01-23 | not yet calculated | CVE-2025-52025 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| Genetech Products--Pie Register | Missing Authorization vulnerability in Genetech Products Pie Register pie-register allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pie Register: from n/a through <= 3.8.4.7. | 2026-01-23 | not yet calculated | CVE-2026-24577 | https://patchstack.com/database/Wordpress/Plugin/pie-register/vulnerability/wordpress-pie-register-plugin-3-8-4-7-broken-access-control-vulnerability?_s_id=cve |
| Get-Simple--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. | 2026-01-21 | not yet calculated | CVE-2021-47778 | ExploitDB-49774 Vendor Homepage GetSimple CMS GitHub Repository Full Disclosure Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability. | 2026-01-19 | not yet calculated | CVE-2026-23944 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr https://github.com/getarcaneapp/arcane/pull/1532 https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2 |
| GetSimple CMS--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2021-47830 | ExploitDB-49774 ExploitDB-49798 GetSimple CMS Webpage GetSimple CMS GitHub Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF |
| GetSimple CMS--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page. | 2026-01-21 | not yet calculated | CVE-2021-47870 | Full Disclosure Repository Vendor Homepage GetSimple CMS GitHub Repository ExploitDB-49798 VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS |
| GIMP--GIMP | GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232. | 2026-01-23 | not yet calculated | CVE-2025-15059 | ZDI-25-1196 vendor-provided URL |
| Gitea--Gitea Open Source Git Server | Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. | 2026-01-22 | not yet calculated | CVE-2026-0798 | GitHub Security Advisory GitHub Pull Request #36319 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | 2026-01-22 | not yet calculated | CVE-2026-20736 | GitHub Security Advisory GitHub Pull Request #36320 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | 2026-01-22 | not yet calculated | CVE-2026-20750 | GitHub Security Advisory GitHub Pull Request #36318 GitHub Pull Request #36373 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | 2026-01-22 | not yet calculated | CVE-2026-20800 | GitHub Security Advisory GitHub Pull Request #36339 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | 2026-01-22 | not yet calculated | CVE-2026-20883 | GitHub Security Advisory GitHub Pull Request #36340 GitHub Pull Request #36368 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | 2026-01-22 | not yet calculated | CVE-2026-20888 | GitHub Security Advisory GitHub Pull Request #36341 GitHub Pull Request #36356 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | 2026-01-22 | not yet calculated | CVE-2026-20897 | GitHub Security Advisory GitHub Pull Request #36344 GitHub Pull Request #36349 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | 2026-01-22 | not yet calculated | CVE-2026-20904 | GitHub Security Advisory GitHub Pull Request #36346 GitHub Pull Request #36361 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | 2026-01-22 | not yet calculated | CVE-2026-20912 | GitHub Security Advisory GitHub Pull Request #36320 GitHub Pull Request #36355 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| github-kanban-mcp-server--github-kanban-mcp-server | github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of github-kanban-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the create_issue parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27784. | 2026-01-23 | not yet calculated | CVE-2026-0756 | ZDI-26-022 |
| GLS--GLS Shipping for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS. This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-68011 | https://patchstack.com/database/Wordpress/Plugin/gls-shipping-for-woocommerce/vulnerability/wordpress-gls-shipping-for-woocommerce-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| goalthemes--Bailly | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion. This issue affects Bailly: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69039 | https://patchstack.com/database/Wordpress/Theme/bailly/vulnerability/wordpress-bailly-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Bfres | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion. This issue affects Bfres: from n/a through <= 1.2.1. | 2026-01-22 | not yet calculated | CVE-2025-69040 | https://patchstack.com/database/Wordpress/Theme/bfres/vulnerability/wordpress-bfres-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Dekoro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion. This issue affects Dekoro: from n/a through <= 1.0.7. | 2026-01-22 | not yet calculated | CVE-2025-69041 | https://patchstack.com/database/Wordpress/Theme/dekoro/vulnerability/wordpress-dekoro-theme-1-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Hyori | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion. This issue affects Hyori: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69038 | https://patchstack.com/database/Wordpress/Theme/hyori/vulnerability/wordpress-hyori-theme-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Lindo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion. This issue affects Lindo: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69042 | https://patchstack.com/database/Wordpress/Theme/lindo/vulnerability/wordpress-lindo-theme-1-2-5-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Pippo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion. This issue affects Pippo: from n/a through <= 1.2.3. | 2026-01-22 | not yet calculated | CVE-2025-69037 | https://patchstack.com/database/Wordpress/Theme/pippo/vulnerability/wordpress-pippo-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Rashy | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion. This issue affects Rashy: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-69043 | https://patchstack.com/database/Wordpress/Theme/rashy/vulnerability/wordpress-rashy-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Vango | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion. This issue affects Vango: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69044 | https://patchstack.com/database/Wordpress/Theme/vango/vulnerability/wordpress-vango-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| Google--Chrome | Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0899 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/458914193 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0900 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465730465 |
| Google--Chrome | Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0901 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/40057499 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0902 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/469143679 |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0903 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444803530 |
| Google--Chrome | Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0904 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209495 |
| Google--Chrome | Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0905 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465466773 |
| Google--Chrome | Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0906 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/467448811 |
| Google--Chrome | Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0907 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444653104 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0908 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209503 |
| Google--Sentencepiece | Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure. | 2026-01-22 | not yet calculated | CVE-2026-1260 | https://github.com/google/sentencepiece/releases/tag/v0.2.1 |
| GPT Academic--GPT Academic | GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956. | 2026-01-23 | not yet calculated | CVE-2026-0762 | ZDI-26-028 |
| GPT Academic--GPT Academic | GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958. | 2026-01-23 | not yet calculated | CVE-2026-0763 | ZDI-26-029 |
| GPT Academic--GPT Academic | GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957. | 2026-01-23 | not yet calculated | CVE-2026-0764 | ZDI-26-030 |
| gregmolnar--Simple XML Sitemap | Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS. This issue affects Simple XML Sitemap: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22355 | https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve |
| Hangzhou Kuozhi Network Technology Co., Ltd.--EduSoho | EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC). | 2026-01-22 | not yet calculated | CVE-2023-7335 | https://www.edusoho.com/ https://github.com/edusoho/edusoho/releases/tag/v22.4.7 https://cn-sec.com/archives/2451582.html https://blog.csdn.net/qq_41904294/article/details/135007351 https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903 https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics |
| HappyMonster--Happy Addons for Elementor | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection. This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4. | 2026-01-22 | not yet calculated | CVE-2025-68999 | https://patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-4-sql-injection-vulnerability?_s_id=cve |
| Harmonic Design--HD Quiz | Missing Authorization vulnerability in Harmonic Design HD Quiz hd-quiz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HD Quiz: from n/a through <= 2.0.9. | 2026-01-23 | not yet calculated | CVE-2026-24544 | https://patchstack.com/database/Wordpress/Plugin/hd-quiz/vulnerability/wordpress-hd-quiz-plugin-2-0-9-broken-access-control-vulnerability?_s_id=cve |
| Harmonic Design--HDForms | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Harmonic Design HDForms hdforms allows Path Traversal. This issue affects HDForms: from n/a through <= 1.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68912 | https://patchstack.com/database/Wordpress/Plugin/hdforms/vulnerability/wordpress-hdforms-plugin-1-6-1-arbitrary-file-deletion-vulnerability?_s_id=cve |
| hassantafreshi--Easy Form Builder | Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Form Builder: from n/a through <= 3.9.6. | 2026-01-22 | not yet calculated | CVE-2026-22472 | https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-3-9-4-broken-access-control-vulnerability?_s_id=cve |
| hexpm--hexpm | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19. | 2026-01-19 | not yet calculated | CVE-2026-21618 | https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 |
| highwarden--Super Interactive Maps | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS. This issue affects Super Interactive Maps: from n/a through <= 2.3. | 2026-01-22 | not yet calculated | CVE-2025-49045 | https://patchstack.com/database/Wordpress/Plugin/super-interactive-maps/vulnerability/wordpress-super-interactive-maps-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| highwarden--Super Logos Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS. This issue affects Super Logos Showcase: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69054 | https://patchstack.com/database/Wordpress/Plugin/superlogoshowcase-wp/vulnerability/wordpress-super-logos-showcase-plugin-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Horea Radu--Materialis Companion | Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Materialis Companion: from n/a through <= 1.3.52. | 2026-01-23 | not yet calculated | CVE-2026-24543 | https://patchstack.com/database/Wordpress/Plugin/materialis-companion/vulnerability/wordpress-materialis-companion-plugin-1-3-52-broken-access-control-vulnerability?_s_id=cve |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue. | 2026-01-22 | not yet calculated | CVE-2026-24010 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3 https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| Hossni Mubarak--JobWP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS. This issue affects JobWP: from n/a through <= 2.4.5. | 2026-01-22 | not yet calculated | CVE-2025-69318 | https://patchstack.com/database/Wordpress/Plugin/jobwp/vulnerability/wordpress-jobwp-plugin-2-4-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hotwired Turbo--Hotwire Turbo | Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers. | 2026-01-20 | not yet calculated | CVE-2025-66803 | https://github.com/hotwired/turbo/pull/1399 https://turbo.hotwired.dev/handbook/frames https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp |
| Hubitat--Elevation C3 | An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation. | 2026-01-22 | not yet calculated | CVE-2026-1201 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06 |
| Hyyan Abo Fakher--Hyyan WooCommerce Polylang Integration | Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hyyan WooCommerce Polylang Integration: from n/a through <= 1.5.0. | 2026-01-23 | not yet calculated | CVE-2026-24585 | https://patchstack.com/database/Wordpress/Plugin/woo-poly-integration/vulnerability/wordpress-hyyan-woocommerce-polylang-integration-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve |
| Icegram--Icegram | Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Icegram: from n/a through <= 3.1.35. | 2026-01-22 | not yet calculated | CVE-2025-68507 | https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-plugin-3-1-35-broken-access-control-vulnerability?_s_id=cve |
| ichurakov--Paid Downloads | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection. This issue affects Paid Downloads: from n/a through <= 3.15. | 2026-01-22 | not yet calculated | CVE-2025-68857 | https://patchstack.com/database/Wordpress/Plugin/paid-downloads/vulnerability/wordpress-paid-downloads-plugin-3-15-sql-injection-vulnerability?_s_id=cve |
| ilmosys--Order Listener for WooCommerce | Missing Authorization vulnerability in ilmosys Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68018 | https://patchstack.com/database/Wordpress/Plugin/woc-order-alert/vulnerability/wordpress-order-listener-for-woocommerce-plugin-3-6-0-broken-access-control-vulnerability?_s_id=cve |
| Imaginate Solutions--File Uploads Addon for WooCommerce | Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects File Uploads Addon for WooCommerce: from n/a through <= 1.7.3. | 2026-01-23 | not yet calculated | CVE-2026-24625 | https://patchstack.com/database/Wordpress/Plugin/woo-addon-uploads/vulnerability/wordpress-file-uploads-addon-for-woocommerce-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve |
| Imagination Technologies--Graphics DDK | A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object. | 2026-01-24 | not yet calculated | CVE-2025-13952 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imran Emu--Owl Carousel WP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS. This issue affects Owl Carousel WP: from n/a through <= 2.2.2. | 2026-01-22 | not yet calculated | CVE-2026-22388 | https://patchstack.com/database/Wordpress/Plugin/owl-carousel-wp/vulnerability/wordpress-owl-carousel-wp-plugin-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| iNET--iNET Webkit | Missing Authorization vulnerability in iNET iNET Webkit inet-webkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iNET Webkit: from n/a through <= 1.2.4. | 2026-01-23 | not yet calculated | CVE-2026-24566 | https://patchstack.com/database/Wordpress/Plugin/inet-webkit/vulnerability/wordpress-inet-webkit-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Infility--Infility Global | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS. This issue affects Infility Global: from n/a through <= 2.14.50. | 2026-01-22 | not yet calculated | CVE-2025-68864 | https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-49-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Inkscape--Inkscape | MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent. This issue has been fixed in 1.4.3 version of Inkscape. | 2026-01-22 | not yet calculated | CVE-2025-15523 | https://inkscape.org/ https://cert.pl/en/posts/2026/01/CVE-2025-15523/ |
| InspiryThemes--Real Homes CRM | Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files. This issue affects Real Homes CRM: from n/a through <= 1.0.0. | 2026-01-22 | not yet calculated | CVE-2025-67968 | https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80. | 2026-01-21 | not yet calculated | CVE-2026-23887 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0 |
| Israpil--Textmetrics | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection. This issue affects Textmetrics: from n/a through <= 3.6.3. | 2026-01-23 | not yet calculated | CVE-2026-24564 | https://patchstack.com/database/Wordpress/Plugin/webtexttool/vulnerability/wordpress-textmetrics-plugin-3-6-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| jagdish1o1--Delay Redirects | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS. This issue affects Delay Redirects: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24632 | https://patchstack.com/database/Wordpress/Plugin/delay-redirects/vulnerability/wordpress-delay-redirects-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jahid Hasan--Admin login URL Change | Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin login URL Change: from n/a through <= 1.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24578 | https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Jamf--Jamf Pro | Authentication Bypass by Primary Weakness vulnerability in Jamf Jamf Pro allows unspecified impact. This issue affects Jamf Pro: from 11.20 through 11.24. | 2026-01-21 | not yet calculated | CVE-2026-1290 | https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.24.0/page/Resolved_Issues.html |
| jegtheme--JNews - Frontend Submit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Frontend Submit jnews-frontend-submit allows Reflected XSS. This issue affects JNews - Frontend Submit: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68904 | https://patchstack.com/database/Wordpress/Plugin/jnews-frontend-submit/vulnerability/wordpress-jnews-frontend-submit-plugin-11-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jegtheme--JNews - Pay Writer | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion. This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68905 | https://patchstack.com/database/Wordpress/Plugin/jnews-pay-writer/vulnerability/wordpress-jnews-pay-writer-plugin-11-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| jegtheme--JNews - Video | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS. This issue affects JNews - Video: from n/a through <= 11.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68906 | https://patchstack.com/database/Wordpress/Plugin/jnews-video/vulnerability/wordpress-jnews-video-plugin-11-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Johan Jonk Stenstrm--Cookies and Content Security Policy | Insertion of Sensitive Information Into Sent Data vulnerability in Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy allows Retrieve Embedded Sensitive Data. This issue affects Cookies and Content Security Policy: from n/a through <= 2.34. | 2026-01-22 | not yet calculated | CVE-2025-63019 | https://patchstack.com/database/Wordpress/Plugin/cookies-and-content-security-policy/vulnerability/wordpress-cookies-and-content-security-policy-plugin-2-34-sensitive-data-exposure-vulnerability?_s_id=cve |
| John James Jacoby--WP Term Order | Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Term Order wp-term-order allows Cross Site Request Forgery. This issue affects WP Term Order: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24542 | https://patchstack.com/database/Wordpress/Plugin/wp-term-order/vulnerability/wordpress-wp-term-order-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes--xSmart | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50006 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jthemes--xSmart | Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50007 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-privilege-escalation-vulnerability?_s_id=cve |
| Jthemes--xSmart | Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-54002 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| JV--HarfBuzz::Shaper | HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability. Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693. | 2026-01-19 | not yet calculated | CVE-2026-0943 | https://bugzilla.redhat.com/show_bug.cgi?id=2429296 https://www.cve.org/CVERecord?id=CVE-2026-22693 https://metacpan.org/release/JV/HarfBuzz-Shaper-0.032/changes |
| Kaira--Blockons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kaira Blockons blockons allows Stored XSS. This issue affects Blockons: from n/a through <= 1.2.15. | 2026-01-23 | not yet calculated | CVE-2026-24550 | https://patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kamleshyadav--WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49050 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability-2?_s_id=cve |
| kamleshyadav--WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49055 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability?_s_id=cve |
| Kapil Chugh--My Post Order | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS. This issue affects My Post Order: from n/a through <= 1.2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68004 | https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kapil Paul--Payment Gateway bKash for WC | Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0. | 2026-01-22 | not yet calculated | CVE-2025-62754 | https://patchstack.com/database/Wordpress/Plugin/woo-payment-bkash/vulnerability/wordpress-payment-gateway-bkash-for-wc-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| Katana Network--Development Starter Kit | Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeCommand method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27786. | 2026-01-23 | not yet calculated | CVE-2026-0759 | ZDI-26-025 |
| kpdecker--jsdiff | jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`. | 2026-01-22 | not yet calculated | CVE-2026-24001 | https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx https://github.com/kpdecker/jsdiff/issues/653 https://github.com/kpdecker/jsdiff/pull/649 https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5 |
| Kriesi--Enfold | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS. This issue affects Enfold: from n/a through <= 7.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68900 | https://patchstack.com/database/Wordpress/Theme/enfold/vulnerability/wordpress-enfold-theme-7-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kutsy--AJAX Hits Counter + Popular Posts Widget | Missing Authorization vulnerability in kutsy AJAX Hits Counter + Popular Posts Widget ajax-hits-counter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AJAX Hits Counter + Popular Posts Widget: from n/a through <= 0.10.210305. | 2026-01-23 | not yet calculated | CVE-2026-24587 | https://patchstack.com/database/Wordpress/Plugin/ajax-hits-counter/vulnerability/wordpress-ajax-hits-counter-popular-posts-widget-plugin-0-10-210305-broken-access-control-vulnerability?_s_id=cve |
| LambertGroup--Accordion Slider PRO | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS. This issue affects Accordion Slider PRO: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2025-49066 | https://patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--HTML5 Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS. This issue affects HTML5 Video Player: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-27005 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-bottom/vulnerability/wordpress-html5-video-player-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--HTML5 Video Player with Playlist & Multiple Skins | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS. This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-32123 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-rightside/vulnerability/wordpress-html5-video-player-with-playlist-multiple-skins-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Image&Video FullScreen Background | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS. This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. | 2026-01-22 | not yet calculated | CVE-2025-47666 | https://patchstack.com/database/Wordpress/Plugin/lbg_fullscreen_fullwidth_slider/vulnerability/wordpress-image-video-fullscreen-background-plugin-1-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Magic Responsive Slider and Carousel WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS. This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-49043 | https://patchstack.com/database/Wordpress/Plugin/magic_carousel/vulnerability/wordpress-magic-responsive-slider-and-carousel-wordpress-plugin-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Magic Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS. This issue affects Magic Slider: from n/a through <= 2.2. | 2026-01-22 | not yet calculated | CVE-2025-48094 | https://patchstack.com/database/Wordpress/Plugin/magic_slider/vulnerability/wordpress-magic-slider-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Universal Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69048 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Universal Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69053 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| LambertGroup--xPromoter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS. This issue affects xPromoter: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-49046 | https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Langflow--Langflow | Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322. | 2026-01-23 | not yet calculated | CVE-2026-0768 | ZDI-26-034 |
| Langflow--Langflow | Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972. | 2026-01-23 | not yet calculated | CVE-2026-0769 | ZDI-26-035 |
| Langflow--Langflow | Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. | 2026-01-23 | not yet calculated | CVE-2026-0770 | ZDI-26-036 |
| Langflow--Langflow | Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497. | 2026-01-23 | not yet calculated | CVE-2026-0771 | ZDI-26-037 |
| Langflow--Langflow | Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919. | 2026-01-23 | not yet calculated | CVE-2026-0772 | ZDI-26-038 |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0. | 2026-01-22 | not yet calculated | CVE-2026-24055 | https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a https://github.com/langfuse/langfuse/releases/tag/v3.147.0 https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations |
| launchinteractive--Merge + Minify + Refresh | Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery. This issue affects Merge + Minify + Refresh: from n/a through <= 2.14. | 2026-01-22 | not yet calculated | CVE-2026-24384 | https://patchstack.com/database/Wordpress/Plugin/merge-minify-refresh/vulnerability/wordpress-merge-minify-refresh-plugin-2-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| LavaLite--LavaLite CMS | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. | 2026-01-23 | not yet calculated | CVE-2025-71177 | https://github.com/LavaLite/cms/issues/420 https://lavalite.org/ https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search |
| LazyCoders LLC--LazyTasks | Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation. This issue affects LazyTasks: from n/a through <= 1.4.01. | 2026-01-22 | not yet calculated | CVE-2025-68869 | https://patchstack.com/database/Wordpress/Plugin/lazytasks-project-task-management/vulnerability/wordpress-lazytasks-plugin-1-2-37-privilege-escalation-vulnerability?_s_id=cve |
| Leap13--Premium Addons for Elementor | Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63. | 2026-01-22 | not yet calculated | CVE-2025-69300 | https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use. | 2026-01-23 | not yet calculated | CVE-2025-71145 | https://git.kernel.org/stable/c/43e58abad6c08c5f0943594126ef4cd6559aac0b https://git.kernel.org/stable/c/03bbdaa4da8c6ea0c8431a5011db188a07822c8a https://git.kernel.org/stable/c/75c5d9bce072abbbc09b701a49869ac23c34a906 https://git.kernel.org/stable/c/5d3df03f70547d4e3fc10ed4381c052eff51b157 https://git.kernel.org/stable/c/7501ecfe3e5202490c2d13dc7e181203601fcd69 https://git.kernel.org/stable/c/b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix leaked ct in error paths There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. In order to solve it make sure that the check is always called. | 2026-01-23 | not yet calculated | CVE-2025-71146 | https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9 https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67 https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8 https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. | 2026-01-23 | not yet calculated | CVE-2025-71147 | https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936 https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. | 2026-01-23 | not yet calculated | CVE-2025-71148 | https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44 https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained. | 2026-01-23 | not yet calculated | CVE-2025-71149 | https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29 https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00 https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. | 2026-01-23 | not yet calculated | CVE-2025-71150 | https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5 https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7 https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a potential information leak. Fix this by calling kfree_sensitive() on both password buffers before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71151 | https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6 https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects having identical reference counts taken, and it is already suspicious that dsa_dev_to_net_device() has a put_device() call which is missing in dsa_port_parse_of(), but we can actually even verify that an issue exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command "before" and "after" applying this patch: (unbind the conduit driver for net device eno2) echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind we see these lines in the output diff which appear only with the patch applied: kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000) kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000) 2. After we find the conduit interface one way (OF) or another (non-OF), it can get unregistered at any time, and DSA remains with a long-lived, but in this case stale, cpu_dp->conduit pointer. Holding the net device's underlying kobject isn't actually of much help, it just prevents it from being freed (but we never need that kobject directly). What helps us to prevent the net device from being unregistered is the parallel netdev reference mechanism (dev_hold() and dev_put()). Actually we actually use that netdev tracker mechanism implicitly on user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link(). But time still passes at DSA switch probe time between the initial of_find_net_device_by_node() code and the user port creation time, time during which the conduit could unregister itself and DSA wouldn't know about it. So we have to run of_find_net_device_by_node() under rtnl_lock() to prevent that from happening, and release the lock only with the netdev tracker having acquired the reference. Do we need to keep the reference until dsa_unregister_switch() / dsa_switch_shutdown()? 1: Maybe yes. A switch device will still be registered even if all user ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not make user port errors fatal"), and the cpu_dp->conduit pointers remain valid. I haven't audited all call paths to see whether they will actually use the conduit in lack of any user port, but if they do, it seems safer to not rely on user ports for that reference. 2. Definitely yes. We support changing the conduit which a user port is associated to, and we can get into a situation where we've moved all user ports away from a conduit, thus no longer hold any reference to it via the net device tracker. But we shouldn't let it go nonetheless - see the next change in relation to dsa_tree_find_first_conduit() and LAG conduits which disappear. We have to be prepared to return to the physical conduit, so the CPU port must explicitly keep another reference to it. This is also to say: the user ports and their CPU ports may not always keep a reference to the same conduit net device, and both are needed. As for the conduit's kobject for the /sys/class/net/ entry, we don't care about it, we can release it as soon as we hold the net device object itself. History and blame attribution ----------------------------- The code has been refactored so many times, it is very difficult to follow and properly attribute a blame, but I'll try to make a short history which I hope to be correct. We have two distinct probing paths: - one for OF, introduced in 2016 i ---truncated--- | 2026-01-23 | not yet calculated | CVE-2025-71152 | https://git.kernel.org/stable/c/0e766b77ba5093583dfe609fae0aa1545c46dbbd https://git.kernel.org/stable/c/06e219f6a706c367c93051f408ac61417643d2f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_file_all_info() In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. Fix this by freeing the filename before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71153 | https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183 https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258 https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1 https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails. | 2026-01-23 | not yet calculated | CVE-2025-71154 | https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7 https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02 https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429 https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190 https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6 https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532 https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks. | 2026-01-23 | not yet calculated | CVE-2025-71155 | https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7 https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below: [ 0.946369] Call Trace: [ 0.946369] <IRQ> [ 0.946369] __napi_poll+0x2a/0x1e0 [ 0.946369] net_rx_action+0x2f9/0x3f0 [ 0.946369] handle_softirqs+0xd6/0x2c0 [ 0.946369] ? handle_edge_irq+0xc1/0x1b0 [ 0.946369] __irq_exit_rcu+0xc3/0xe0 [ 0.946369] common_interrupt+0x81/0xa0 [ 0.946369] </IRQ> [ 0.946369] <TASK> [ 0.946369] asm_common_interrupt+0x22/0x40 [ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown). This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context. | 2026-01-23 | not yet calculated | CVE-2025-71156 | https://git.kernel.org/stable/c/f5b7f49bd2377916ad57cbd1210c61196daff013 https://git.kernel.org/stable/c/48f9277680925e1a8623d6b2c50aadb7af824ace https://git.kernel.org/stable/c/3d970eda003441f66551a91fda16478ac0711617 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error. | 2026-01-23 | not yet calculated | CVE-2025-71157 | https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001 https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down on disconnect. | 2026-01-23 | not yet calculated | CVE-2025-71158 | https://git.kernel.org/stable/c/472d900c8bcac301ae0e40fdca7db799bd989ff5 https://git.kernel.org/stable/c/179ef1127d7a4f09f0e741fa9f30b8a8e7886271 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC. | 2026-01-23 | not yet calculated | CVE-2025-71159 | https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_table_validate+0x6b/0xb0 [nf_tables] nf_tables_validate+0x8b/0xa0 [nf_tables] nf_tables_commit+0x1df/0x1eb0 [nf_tables] [..] Currently nf_tables will traverse the entire table (chain graph), starting from the entry points (base chains), exploring all possible paths (chain jumps). But there are cases where we could avoid revalidation. Consider: 1 input -> j2 -> j3 2 input -> j2 -> j3 3 input -> j1 -> j2 -> j3 Then the second rule does not need to revalidate j2, and, by extension j3, because this was already checked during validation of the first rule. We need to validate it only for rule 3. This is needed because chain loop detection also ensures we do not exceed the jump stack: Just because we know that j2 is cycle free, its last jump might now exceed the allowed stack size. We also need to update all reachable chains with the new largest observed call depth. Care has to be taken to revalidate even if the chain depth won't be an issue: chain validation also ensures that expressions are not called from invalid base chains. For example, the masquerade expression can only be called from NAT postrouting base chains. Therefore we also need to keep record of the base chain context (type, hooknum) and revalidate if the chain becomes reachable from a different hook location. | 2026-01-23 | not yet calculated | CVE-2025-71160 | https://git.kernel.org/stable/c/53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1 https://git.kernel.org/stable/c/14fa3d1927f1382f86e3f70a51f26005c8e3cff6 https://git.kernel.org/stable/c/09d6074995c186e449979fe6c1b0f1a69cf9bd3b https://git.kernel.org/stable/c/8e1a1bc4f5a42747c08130b8242ebebd1210b32f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit - and this image just makes the udev-worker process get stuck in the 'D' state. 2. It doesn't work. In fec_read_bufs we store data into the variable "fio->bufs", but fio bufs is shared between recursive invocations, if "verity_hash_for_block" invoked correction recursively, it would overwrite partially filled fio->bufs. | 2026-01-23 | not yet calculated | CVE-2025-71161 | https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756 https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8 | 2026-01-25 | not yet calculated | CVE-2025-71162 | https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4 https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. | 2026-01-25 | not yet calculated | CVE-2025-71163 | https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9 https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class's leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) - not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af ---truncated--- | 2026-01-21 | not yet calculated | CVE-2026-22976 | https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63 https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7 https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95 https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6 https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() (from skbuff_fclone_cache) [1] 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] 3. The cloned skb is queued to sk_error_queue for timestamp reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] 6. __check_heap_object() fails because skbuff_fclone_cache has no usercopy whitelist [5] When cloned skbs allocated from skbuff_fclone_cache are used in the socket error queue, accessing the sock_exterr_skb structure in skb->cb via put_cmsg() triggers a usercopy hardening violation: [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! [ 5.382796] kernel BUG at mm/usercopy.c:102! [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 [ 5.384903] PKRU: 55555554 [ 5.384903] Call Trace: [ 5.384903] <TASK> [ 5.384903] __check_heap_object+0x9a/0xd0 [ 5.384903] __check_object_size+0x46c/0x690 [ 5.384903] put_cmsg+0x129/0x5e0 [ 5.384903] sock_recv_errqueue+0x22f/0x380 [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? schedule+0x6d/0x270 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? mutex_unlock+0x81/0xd0 [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 The crash offset 296 corresponds to skb2->cb within skbuff_fclones: - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 | 2026-01-21 | not yet calculated | CVE-2026-22977 | https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5 https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1 https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85 https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391 https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115 https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. | 2026-01-23 | not yet calculated | CVE-2026-22978 | https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6 https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1 https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8 https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464 https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header(). | 2026-01-23 | not yet calculated | CVE-2026-22979 | https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74 https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79 https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free. | 2026-01-23 | not yet calculated | CVE-2026-22980 | https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06 https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61 https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309 https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0 https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6 https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and there is no guarantee that those will recover, which is why the existing vport_ctrl_lock does not provide sufficient protection. idpf_detach_and_close() is called right before reset handling. If the reset handling succeeds, the netdevs state is recovered via call to idpf_attach_and_open(). If the reset handling fails the netdevs remain down. The detach/down calls are protected with RTNL lock to avoid racing with callbacks. On the recovery side the attach can be done without holding the RTNL lock as there are no callbacks expected at that point, due to detach/close always being done first in that flow. The previous logic restoring the netdevs state based on the IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is still being used to restore the state of the netdevs following the reset, but has no use outside of the reset handling flow. idpf_init_hard_reset() is converted to void, since it was used as such and there is no error handling being done based on its return value. Before this change, invoking hard and soft resets simultaneously will cause the driver to lose the vport state: ip -br a <inf> UP echo 1 > /sys/class/net/ens801f0/device/reset& \ ethtool -L ens801f0 combined 8 ip -br a <inf> DOWN ip link set <inf> up ip -br a <inf> DOWN Also in case of a failure in the reset path, the netdev is left exposed to external callbacks, while vport resources are not initialized, leading to a crash on subsequent ifup/down: [408471.398966] idpf 0000:83:00.0: HW reset detected [408471.411744] idpf 0000:83:00.0: Device HW Reset initiated [408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 [408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 [408508.126112] #PF: supervisor read access in kernel mode [408508.126687] #PF: error_code(0x0000) - not-present page [408508.127256] PGD 2aae2f067 P4D 0 [408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI ... [408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] ... [408508.139193] Call Trace: [408508.139637] <TASK> [408508.140077] __dev_close_many+0xbb/0x260 [408508.140533] __dev_change_flags+0x1cf/0x280 [408508.140987] netif_change_flags+0x26/0x70 [408508.141434] dev_change_flags+0x3d/0xb0 [408508.141878] devinet_ioctl+0x460/0x890 [408508.142321] inet_ioctl+0x18e/0x1d0 [408508.142762] ? _copy_to_user+0x22/0x70 [408508.143207] sock_do_ioctl+0x3d/0xe0 [408508.143652] sock_ioctl+0x10e/0x330 [408508.144091] ? find_held_lock+0x2b/0x80 [408508.144537] __x64_sys_ioctl+0x96/0xe0 [408508.144979] do_syscall_64+0x79/0x3d0 [408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e [408508.145860] RIP: 0033:0x7f3e0bb4caff | 2026-01-23 | not yet calculated | CVE-2026-22981 | https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70 https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as it uses the DSA framework which registers all ports. Fix this by checking if the port pointer is valid before accessing it. | 2026-01-23 | not yet calculated | CVE-2026-22982 | https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041 https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for"), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets"). Also collapse two branches using a bitwise or. | 2026-01-23 | not yet calculated | CVE-2026-22983 | https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] | 2026-01-23 | not yet calculated | CVE-2026-22984 | https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96 https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3 https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8 https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver's soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes. Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off [89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 [89408.371908] #PF: supervisor read access in kernel mode [89408.371924] #PF: error_code(0x0000) - not-present page [89408.371940] PGD 0 P4D 0 [89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 [89408.372310] Call Trace: [89408.372317] <TASK> [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] [89408.372363] __netdev_update_features+0x295/0xde0 [89408.372384] ethnl_set_features+0x15e/0x460 [89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 [89408.372429] genl_rcv_msg+0x1ad/0x2b0 [89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 [89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 [89408.372482] netlink_rcv_skb+0x58/0x100 [89408.372502] genl_rcv+0x2c/0x50 [89408.372516] netlink_unicast+0x289/0x3e0 [89408.372533] netlink_sendmsg+0x215/0x440 [89408.372551] __sys_sendto+0x234/0x240 [89408.372571] __x64_sys_sendto+0x28/0x30 [89408.372585] x64_sys_call+0x1909/0x1da0 [89408.372604] do_syscall_64+0x7a/0xfa0 [89408.373140] ? clear_bhb_loop+0x60/0xb0 [89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e [89408.378887] </TASK> <snip> | 2026-01-23 | not yet calculated | CVE-2026-22985 | https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802 https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash: [ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000 [ 4.943396] Mem abort info: [ 4.943400] ESR = 0x0000000096000005 [ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits [ 4.943407] SET = 0, FnV = 0 [ 4.943410] EA = 0, S1PTW = 0 [ 4.943413] FSC = 0x05: level 1 translation fault [ 4.943416] Data abort info: [ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000 [ 4.961449] [ffff800272bcc000] pgd=0000000000000000 [ 4.969203] , p4d=1000000039739003 [ 4.979730] , pud=0000000000000000 [ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset" [ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP ... [ 5.121359] pc : __srcu_read_lock+0x44/0x98 [ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0 [ 5.153671] sp : ffff8000833bb430 [ 5.298440] [ 5.298443] Call trace: [ 5.298445] __srcu_read_lock+0x44/0x98 [ 5.309484] gpio_name_to_desc+0x60/0x1a0 [ 5.320692] gpiochip_add_data_with_key+0x488/0xf00 5.946419] ---[ end trace 0000000000000000 ]--- Move initialization code for gdev fields before it is added to gpio_devices, with adjacent initialization code. Adjust goto statements to reflect modified order of operations [Bartosz: fixed a build issue, removed stray newline] | 2026-01-23 | not yet calculated | CVE-2026-22986 | https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02 https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entries when iterating the action IDR so teardown does not call tc_act_in_hw() on an error pointer. | 2026-01-23 | not yet calculated | CVE-2026-22987 | https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8 https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. | 2026-01-23 | not yet calculated | CVE-2026-22988 | https://git.kernel.org/stable/c/e432dbff342b95fe44645f9a90fcf333c80f4b5e https://git.kernel.org/stable/c/393525dee5c39acff8d6705275d7fcaabcfb7f0a https://git.kernel.org/stable/c/70bddc16491ef4681f3569b3a2c80309a3edcdd1 https://git.kernel.org/stable/c/029935507d0af6553c45380fbf6feecf756fd226 https://git.kernel.org/stable/c/dd6ccec088adff4bdf33e2b2dd102df20a7128fa https://git.kernel.org/stable/c/949647e7771a4a01963fe953a96d81fba7acecf3 https://git.kernel.org/stable/c/c92510f5e3f82ba11c95991824a41e59a9c5ed81 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has been freed as a part of the server shutdown. [ 59.465072] Call trace: [ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P) [ 59.465830] write_unlock_fs+0x258/0x440 [nfsd] [ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd] [ 59.466780] vfs_write+0x1f0/0x938 [ 59.467088] ksys_write+0xfc/0x1f8 [ 59.467395] __arm64_sys_write+0x74/0xb8 [ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8 [ 59.468177] do_el0_svc+0x154/0x1d8 [ 59.468489] el0_svc+0x40/0xe0 [ 59.468767] el0t_64_sync_handler+0xa0/0xe8 [ 59.469138] el0t_64_sync+0x1ac/0x1b0 Ensure this can't happen by taking the nfsd_mutex and checking that the server is still up, and then holding the mutex across the call to nfsd4_revoke_states(). | 2026-01-23 | not yet calculated | CVE-2026-22989 | https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914 https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. | 2026-01-23 | not yet calculated | CVE-2026-22990 | https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9 https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3 https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. | 2026-01-23 | not yet calculated | CVE-2026-22991 | https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234 https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4 https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5 https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature(). | 2026-01-23 | not yet calculated | CVE-2026-22992 | https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16 https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1 https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5 https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip> | 2026-01-23 | not yet calculated | CVE-2026-22993 | https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md(). | 2026-01-23 | not yet calculated | CVE-2026-22994 | https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365 https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101 https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38 https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached. | 2026-01-23 | not yet calculated | CVE-2026-22995 | https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85 https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000520 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_remove+0x68/0x130 RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 Call Trace: <TASK> device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 | 2026-01-25 | not yet calculated | CVE-2026-22996 | https://git.kernel.org/stable/c/dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe https://git.kernel.org/stable/c/a3d4f87d41f5140f1cf5c02fce5cdad2637f6244 https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. | 2026-01-25 | not yet calculated | CVE-2026-22997 | https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703 https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated | 2026-01-25 | not yet calculated | CVE-2026-22998 | https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913 https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. | 2026-01-25 | not yet calculated | CVE-2026-22999 | https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50 https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_profile() to handle previous failures and an empty priv, by not assuming priv is valid. Pass netdev and mdev to all flows requiring mlx5e_netdev_change_profile() and avoid passing priv. In mlx5e_netdev_change_profile() check if current priv is valid, and if not, just attach the new profile without trying to access the old one. This fixes the following oops, when enabling switchdev mode for the 2nd time after first time failure: ## Enabling switchdev mode first time: mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 ^^^^^^^^ mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) ## retry: Enabling switchdev mode 2nd time: mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload BUG: kernel NULL pointer dereference, address: 0000000000000038 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 RSP: 0018:ffffc90000673890 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_netdev_change_profile+0x45/0xb0 mlx5e_vport_rep_load+0x27b/0x2d0 mlx5_esw_offloads_rep_load+0x72/0xf0 esw_offloads_enable+0x5d0/0x970 mlx5_eswitch_enable_locked+0x349/0x430 ? is_mp_supported+0x57/0xb0 mlx5_devlink_eswitch_mode_set+0x26b/0x430 devlink_nl_eswitch_set_doit+0x6f/0xf0 genl_family_rcv_msg_doit+0xe8/0x140 genl_rcv_msg+0x18b/0x290 ? __pfx_devlink_nl_pre_doit+0x10/0x10 ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 ? __pfx_devlink_nl_post_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x52/0x100 genl_rcv+0x28/0x40 netlink_unicast+0x282/0x3e0 ? __alloc_skb+0xd6/0x190 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x213/0x220 ? __sys_recvmsg+0x6a/0xd0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdfb8495047 | 2026-01-25 | not yet calculated | CVE-2026-23000 | https://git.kernel.org/stable/c/dad52950b409d6923880d65a4cddb383286e17d2 https://git.kernel.org/stable/c/e05b8084a20f6bd5827d338c928e5e0fcbafa496 https://git.kernel.org/stable/c/4dadc4077e3f77d6d31e199a925fc7a705e7adeb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u | 2026-01-25 | not yet calculated | CVE-2026-23001 | https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/buildid: use __kernel_read() for sleepable context Prevent a "BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio". For the sleepable context, convert freader to use __kernel_read() instead of direct page cache access via read_cache_folio(). This simplifies the faultable code path by using the standard kernel file reading interface which handles all the complexity of reading file data. At the moment we are not changing the code for non-sleepable context which uses filemap_get_folio() and only succeeds if the target folios are already in memory and up-to-date. The reason is to keep the patch simple and easier to backport to stable kernels. Syzbot repro does not crash the kernel anymore and the selftests run successfully. In the follow up we will make __kernel_read() with IOCB_NOWAIT work for non-sleepable contexts. In addition, I would like to replace the secretmem check with a more generic approach and will add fstest for the buildid code. | 2026-01-25 | not yet calculated | CVE-2026-23002 | https://git.kernel.org/stable/c/b11dfb7708f212b96c7973a474014c071aa02e05 https://git.kernel.org/stable/c/568aeb3476c770a3863c755dd2a199c212434286 https://git.kernel.org/stable/c/777a8560fd29738350c5094d4166fe5499452409 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 | 2026-01-25 | not yet calculated | CVE-2026-23003 | https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414 https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23004 | https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7 https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. [Move clea ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23005 | https://git.kernel.org/stable/c/f577508cc8a0adb8b4ebe9480bba7683b6149930 https://git.kernel.org/stable/c/eea6f395ca502c4528314c8112da9b5d65f685eb https://git.kernel.org/stable/c/b45f721775947a84996deb5c661602254ce25ce6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". | 2026-01-25 | not yet calculated | CVE-2026-23006 | https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929 https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI generation is disabled via sysfs or the PI tuple size is 0. However, this misses the case where PI is generated and the PI tuple size is nonzero, but the metadata size is larger than the PI tuple. In this case, the remainder ("opaque") of the metadata is left uninitialized. Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the metadata is larger than just the PI tuple. | 2026-01-25 | not yet calculated | CVE-2026-23007 | https://git.kernel.org/stable/c/d6072557b90e0c557df319a56f4a9dc482706d2c https://git.kernel.org/stable/c/ca22c566b89164f6e670af56ecc45f47ef3df819 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen. | 2026-01-25 | not yet calculated | CVE-2026-23008 | https://git.kernel.org/stable/c/a91bdd21d5efb3072beefbec13762b7722200c49 https://git.kernel.org/stable/c/d9186faeae6efb7d0841a5e8eb213ff4c7966614 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want's to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up. | 2026-01-25 | not yet calculated | CVE-2026-23009 | https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42 https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23010 | https://git.kernel.org/stable/c/2684610a9c9c53f262fd864fa5c407e79f304804 https://git.kernel.org/stable/c/8b6dcb565e419846bd521e31d5e1f98e4d0e1179 https://git.kernel.org/stable/c/ddf96c393a33aef4887e2e406c76c2f8cda1419c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 | 2026-01-25 | not yet calculated | CVE-2026-23011 | https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error. | 2026-01-25 | not yet calculated | CVE-2026-23012 | https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3 https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq(). | 2026-01-25 | not yet calculated | CVE-2026-23013 | https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40 https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432 |
| linux4me2--Menu In Post | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS. This issue affects Menu In Post: from n/a through <= 1.4.1. | 2026-01-22 | not yet calculated | CVE-2026-22349 | https://patchstack.com/database/Wordpress/Plugin/menu-in-post/vulnerability/wordpress-menu-in-post-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| livemesh--Livemesh Addons for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer allows Stored XSS. This issue affects Livemesh Addons for WPBakery Page Builder: from n/a through <= 3.9.4. | 2026-01-23 | not yet calculated | CVE-2026-24594 | https://patchstack.com/database/Wordpress/Plugin/addons-for-visual-composer/vulnerability/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Lodash--Lodash | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 | 2026-01-21 | not yet calculated | CVE-2025-13465 | https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg |
| LogicHunt--Logo Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt Logo Slider logo-slider-wp allows Stored XSS. This issue affects Logo Slider: from n/a through <= 4.9.0. | 2026-01-23 | not yet calculated | CVE-2026-24626 | https://patchstack.com/database/Wordpress/Plugin/logo-slider-wp/vulnerability/wordpress-logo-slider-plugin-4-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ludwig You--WPMasterToolKit | Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPMasterToolKit: from n/a through <= 2.14.0. | 2026-01-22 | not yet calculated | CVE-2026-24388 | https://patchstack.com/database/Wordpress/Plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-2-14-0-broken-access-control-vulnerability?_s_id=cve |
| M-Files Corporation--M-Files Server | Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint. | 2026-01-21 | not yet calculated | CVE-2026-0663 | https://product.m-files.com/security-advisories/cve-2026-0663/ |
| mackron--dr_flac | dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. | 2026-01-20 | not yet calculated | CVE-2025-14369 | https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0 |
| magentech--MaxShop | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion. This issue affects MaxShop: from n/a through <= 3.6.20. | 2026-01-22 | not yet calculated | CVE-2025-69047 | https://patchstack.com/database/Wordpress/Theme/sw_maxshop/vulnerability/wordpress-maxshop-theme-3-6-20-local-file-inclusion-vulnerability?_s_id=cve |
| Mahmudul Hasan Arif--FluentBoards | Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FluentBoards: from n/a through <= 1.91.1. | 2026-01-23 | not yet calculated | CVE-2026-24561 | https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve |
| MailerLite--MailerLite WooCommerce integration | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MailerLite MailerLite - WooCommerce integration woo-mailerlite allows SQL Injection. This issue affects MailerLite - WooCommerce integration: from n/a through <= 3.1.2. | 2026-01-22 | not yet calculated | CVE-2025-67945 | https://patchstack.com/database/Wordpress/Plugin/woo-mailerlite/vulnerability/wordpress-mailerlite-woocommerce-integration-plugin-3-1-2-sql-injection-vulnerability?_s_id=cve |
| ManageIQ--manageiq | ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually. | 2026-01-21 | not yet calculated | CVE-2026-22598 | https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3 https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113 |
| Marco Milesi--ANAC XML Viewer | Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery. This issue affects ANAC XML Viewer: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-64252 | https://patchstack.com/database/Wordpress/Plugin/anac-xml-viewer/vulnerability/wordpress-anac-xml-viewer-plugin-1-8-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marco van Wieren--WPO365 | Server-Side Request Forgery (SSRF) vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery. This issue affects WPO365: from n/a through <= 40.0. | 2026-01-22 | not yet calculated | CVE-2025-67961 | https://patchstack.com/database/Wordpress/Plugin/wpo365-login/vulnerability/wordpress-wpo365-plugin-40-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marcus (aka @msykes)--WP FullCalendar | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data. This issue affects WP FullCalendar: from n/a through <= 1.6. | 2026-01-23 | not yet calculated | CVE-2026-24523 | https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| Mario Peshev--WP-CRM System | Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP-CRM System: from n/a through <= 3.4.5. | 2026-01-22 | not yet calculated | CVE-2025-62106 | https://patchstack.com/database/Wordpress/Plugin/wp-crm-system/vulnerability/wordpress-wp-crm-system-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve |
| marynixie--Related Posts Thumbnails Plugin for WordPress | Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery. This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24596 | https://patchstack.com/database/Wordpress/Plugin/related-posts-thumbnails/vulnerability/wordpress-related-posts-thumbnails-plugin-for-wordpress-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| matiskiba--Ravpage | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS. This issue affects Ravpage: from n/a through <= 2.33. | 2026-01-22 | not yet calculated | CVE-2025-68835 | https://patchstack.com/database/Wordpress/Plugin/ravpage/vulnerability/wordpress-ravpage-plugin-2-33-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MCP Manager for Claude Desktop--MCP Manager for Claude Desktop | MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of MCP config objects. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code in the context of the current process at medium integrity. Was ZDI-CAN-27810. | 2026-01-23 | not yet calculated | CVE-2026-0757 | ZDI-26-023 |
| mcp-server-siri-shortcuts--mcp-server-siri-shortcuts | mcp-server-siri-shortcuts shortcutName Command Injection Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of mcp-server-siri-shortcuts. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the shortcutName parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-27910. | 2026-01-23 | not yet calculated | CVE-2026-0758 | ZDI-26-024 |
| merkulove--Audier For Elementor | Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Audier For Elementor: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-66139 | https://patchstack.com/database/Wordpress/Plugin/audier-elementor/vulnerability/wordpress-audier-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Carter for Elementor | Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Carter for Elementor: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66136 | https://patchstack.com/database/Wordpress/Plugin/carter-elementor/vulnerability/wordpress-carter-for-elementor-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Comparimager for Elementor | Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Comparimager for Elementor: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-66142 | https://patchstack.com/database/Wordpress/Plugin/comparimager-elementor/vulnerability/wordpress-comparimager-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Crumber | Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crumber: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-66143 | https://patchstack.com/database/Wordpress/Plugin/crumber-elementor/vulnerability/wordpress-crumber-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Imager for Elementor | Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Imager for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66135 | https://patchstack.com/database/Wordpress/Plugin/imager-elementor/vulnerability/wordpress-imager-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Motionger for Elementor | Missing Authorization vulnerability in merkulove Motionger for Elementor motionger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motionger for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66138 | https://patchstack.com/database/Wordpress/Plugin/motionger-elementor/vulnerability/wordpress-motionger-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Scroller | Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scroller: from n/a through <= 2.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66141 | https://patchstack.com/database/Wordpress/Plugin/scroller/vulnerability/wordpress-scroller-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Searcher for Elementor | Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Searcher for Elementor: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-66137 | https://patchstack.com/database/Wordpress/Plugin/searcher-elementor/vulnerability/wordpress-searcher-for-elementor-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Uper for Elementor | Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uper for Elementor: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-66140 | https://patchstack.com/database/Wordpress/Plugin/uper-elementor/vulnerability/wordpress-uper-for-elementor-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| Merv Barrett--Easy Property Listings | Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Property Listings: from n/a through <= 3.5.17. | 2026-01-22 | not yet calculated | CVE-2025-68072 | https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve |
| Metagauss--EventPrime | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through <= 4.2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24380 | https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| Metagauss--RegistrationMagic | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery. This issue affects RegistrationMagic: from n/a through <= 6.0.6.9. | 2026-01-22 | not yet calculated | CVE-2026-24374 | https://patchstack.com/database/Wordpress/Plugin/custom-registration-form-builder-with-submission-manager/vulnerability/wordpress-registrationmagic-plugin-6-0-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Micro.company--Form to Chat App | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS. This issue affects Form to Chat App: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2026-22463 | https://patchstack.com/database/Wordpress/Plugin/form-to-chat/vulnerability/wordpress-form-to-chat-app-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mikado-Themes--Biagiotti | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion. This issue affects Biagiotti: from n/a through < 3.5.2. | 2026-01-22 | not yet calculated | CVE-2025-67938 | https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Cocco | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cocco: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2026-22391 | https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Curly | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Curly: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2026-22393 | https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Depot | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion. This issue affects Depot: from n/a through <= 1.16. | 2026-01-22 | not yet calculated | CVE-2025-54003 | https://patchstack.com/database/Wordpress/Theme/depot/vulnerability/wordpress-depot-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Dolcino | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dolcino: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22411 | https://patchstack.com/database/Wordpress/Theme/dolcino/vulnerability/wordpress-dolcino-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Fiorello | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fiorello: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22396 | https://patchstack.com/database/Wordpress/Theme/fiorello/vulnerability/wordpress-fiorello-theme-1-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Fleur | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fleur: from n/a through <= 2.0. | 2026-01-22 | not yet calculated | CVE-2026-22398 | https://patchstack.com/database/Wordpress/Theme/fleur/vulnerability/wordpress-fleur-theme-2-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Holmes | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Holmes: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22400 | https://patchstack.com/database/Wordpress/Theme/holmes/vulnerability/wordpress-holmes-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Innovio | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Innovio: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22404 | https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Justicia | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Justicia: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22409 | https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Overton | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Overton: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22406 | https://patchstack.com/database/Wordpress/Theme/overton/vulnerability/wordpress-overton-theme-1-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--PawFriends - Pet Shop and Veterinary WordPress Theme | Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery. This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22382 | https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mikado-Themes--Powerlift | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion. This issue affects Powerlift: from n/a through < 3.2.1. | 2026-01-22 | not yet calculated | CVE-2025-67940 | https://patchstack.com/database/Wordpress/Theme/powerlift/vulnerability/wordpress-powerlift-theme-3-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Roam | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Roam: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2026-22407 | https://patchstack.com/database/Wordpress/Theme/roam/vulnerability/wordpress-roam-theme-2-1-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Rosebud | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Rosebud: from n/a through <= 1.4. | 2026-01-23 | not yet calculated | CVE-2026-24631 | https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Verdure | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Verdure verdure allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Verdure: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22430 | https://patchstack.com/database/Wordpress/Theme/verdure/vulnerability/wordpress-verdure-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Wanderland | Missing Authorization vulnerability in Mikado-Themes Wanderland wanderland allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wanderland: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2026-22458 | https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-theme-1-5-broken-access-control-vulnerability?_s_id=cve |
| Milner--ImageDirector Capture | The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the executable. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58740 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Insufficiently Protected Credentials vulnerability in the Credential Field of Milner ImageDirector Capture allows retrieval of credential material and enables database access. This issue affects ImageDirector Capture: from 7.0.9 through 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58741 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the 'Server' field to redirect client authentication. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58742 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Use of a Broken or Risky Cryptographic Algorithm (DES) vulnerability in the Password class in C2SConnections.dll in Milner ImageDirector Capture on Windows allows Encryption Brute Forcing to obtain database credentials. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58743 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58744 | https://sra.io/advisories |
| miniserve--miniserve | A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume). | 2026-01-23 | not yet calculated | CVE-2025-67124 | https://github.com/svenstaro/miniserve https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f |
| mkscripts--Download After Email | Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download After Email: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24541 | https://patchstack.com/database/Wordpress/Plugin/download-after-email/vulnerability/wordpress-download-after-email-plugin-2-1-9-broken-access-control-vulnerability?_s_id=cve |
| mndpsingh287--WP Mail | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS. This issue affects WP Mail: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-68008 | https://patchstack.com/database/Wordpress/Plugin/wp-mail/vulnerability/wordpress-wp-mail-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| monetagwp--Monetag Official Plugin | Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Monetag Official Plugin: from n/a through <= 1.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24551 | https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| mwtemplates--DeepDigital | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection. This issue affects DeepDigital: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2026-22469 | https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| MyThemeShop--WP Subscribe | Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscribe: from n/a through <= 1.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24522 | https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve |
| Nelio Software--Nelio AB Testing | Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection. This issue affects Nelio AB Testing: from n/a through <= 8.1.8. | 2026-01-22 | not yet calculated | CVE-2025-67944 | https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-1-8-arbitrary-code-execution-vulnerability?_s_id=cve |
| Nelio Software--Nelio Content | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection. This issue affects Nelio Content: from n/a through <= 4.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24572 | https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-1-0-sql-injection-vulnerability?_s_id=cve |
| neo4j--Enterprise Edition | Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed. | 2026-01-22 | not yet calculated | CVE-2025-12738 | https://neo4j.com/security/CVE-2025-12738 |
| nerves-hub--nerves_hub_web | NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation, firewalling access to the NervesHub server can help limit exposure until an upgrade is possible. | 2026-01-22 | not yet calculated | CVE-2025-64097 | https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m https://github.com/nerves-hub/nerves_hub_web/pull/2024 https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0 |
| netgsm--Netgsm | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS. This issue affects Netgsm: from n/a through <= 2.9.63. | 2026-01-22 | not yet calculated | CVE-2025-68010 | https://patchstack.com/database/Wordpress/Plugin/netgsm/vulnerability/wordpress-netgsm-plugin-2-9-62-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| NewPlane--open5GS | Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | 2026-01-20 | not yet calculated | CVE-2026-0622 | https://github.com/open5gs/open5gs/issues/2264 https://github.com/open5gs/open5gs/issues/856 https://github.com/open5gs/open5gs/pull/857 |
| Ninetheme--Anarkali | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion. This issue affects Anarkali: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-47474 | https://patchstack.com/database/Wordpress/Theme/anarkali/vulnerability/wordpress-anarkali-theme-1-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| Ninetheme--Electron | Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Electron: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-5805 | https://patchstack.com/database/Wordpress/Theme/electron/vulnerability/wordpress-electron-theme-1-8-2-broken-access-control-vulnerability?_s_id=cve |
| Ninja Team--GDPR CCPA Compliance Support | Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.4. | 2026-01-22 | not yet calculated | CVE-2025-68073 | https://patchstack.com/database/Wordpress/Plugin/ninja-gdpr-compliance/vulnerability/wordpress-gdpr-ccpa-compliance-support-plugin-2-7-4-broken-access-control-vulnerability?_s_id=cve |
| NixOS--nixpkgs | Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`. | 2026-01-19 | not yet calculated | CVE-2026-23838 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-g8w3-p77x-mmxh https://github.com/NixOS/nixpkgs/issues/338339 https://github.com/NixOS/nixpkgs/pull/427845 https://github.com/NixOS/nixpkgs/pull/481140 |
| noCreativity--Dooodl | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS. This issue affects Dooodl: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-68871 | https://patchstack.com/database/Wordpress/Plugin/dooodl/vulnerability/wordpress-dooodl-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| nodejs--node | A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55130 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. | 2026-01-20 | not yet calculated | CVE-2025-55131 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55132 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A memory leak in Node.js's OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. | 2026-01-20 | not yet calculated | CVE-2025-59464 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` | 2026-01-20 | not yet calculated | CVE-2025-59465 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. | 2026-01-20 | not yet calculated | CVE-2025-59466 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase. | 2026-01-20 | not yet calculated | CVE-2026-21636 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. | 2026-01-20 | not yet calculated | CVE-2026-21637 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| npm--cli | npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430. | 2026-01-23 | not yet calculated | CVE-2026-0775 | ZDI-26-043 |
| NSquared--Simply Schedule Appointments | Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15. | 2026-01-22 | not yet calculated | CVE-2025-69315 | https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve |
| Ollama MCP Server--Ollama MCP Server | Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683. | 2026-01-23 | not yet calculated | CVE-2025-15063 | ZDI-26-020 |
| ollama--ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder | 2026-01-21 | not yet calculated | CVE-2025-66959 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66959panic-dos-via-unchecked-length-in-gguf-decoder-copy/ |
| ollama-ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata | 2026-01-21 | not yet calculated | CVE-2025-66960 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66960guf-v1-string-length-cause-panic-in-readggufv1string/ |
| OmniApp--OmniApp | An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. | 2026-01-23 | not yet calculated | CVE-2025-69908 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69908.md |
| OmniDocs--OmniDocs | An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks. | 2026-01-23 | not yet calculated | CVE-2025-69907 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69907.md |
| omnipressteam--Omnipress | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion. This issue affects Omnipress: from n/a through <= 1.6.6. | 2026-01-23 | not yet calculated | CVE-2026-24538 | https://patchstack.com/database/Wordpress/Plugin/omnipress/vulnerability/wordpress-omnipress-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| Onepay Sri Lanka--onepay Payment Gateway For WooCommerce | Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects onepay Payment Gateway For WooCommerce: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68016 | https://patchstack.com/database/Wordpress/Plugin/onepay-payment-gateway-for-woocommerce/vulnerability/wordpress-onepay-payment-gateway-for-woocommerce-plugin-1-1-2-other-vulnerability-type-vulnerability?_s_id=cve |
| Open WebUI--Open WebUI | Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the install_frontmatter_requirements function.The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28258. | 2026-01-23 | not yet calculated | CVE-2026-0765 | ZDI-26-031 |
| Open WebUI--Open WebUI | Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257. | 2026-01-23 | not yet calculated | CVE-2026-0766 | ZDI-26-032 |
| Open WebUI--Open WebUI | Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259. | 2026-01-23 | not yet calculated | CVE-2026-0767 | ZDI-26-033 |
| OpenSolution--Quick.Cart | Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67683 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| OpenSolution--Quick.Cart | Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67684 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| orjson--orjson | The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents. | 2026-01-22 | not yet calculated | CVE-2025-67221 | https://github.com/kpatsakis/orjson_vulnerability https://github.com/ijl/orjson |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue. | 2026-01-20 | not yet calculated | CVE-2026-23947 | https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv https://github.com/orval-labs/orval/releases/tag/v8.0.2 |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3. | 2026-01-22 | not yet calculated | CVE-2026-24132 | https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626 https://github.com/orval-labs/orval/pull/2828 https://github.com/orval-labs/orval/pull/2829 https://github.com/orval-labs/orval/pull/2830 https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5 https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06 https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62 https://github.com/orval-labs/orval/releases/tag/v7.20.0 https://github.com/orval-labs/orval/releases/tag/v8.0.3 |
| ovatheme--Athens | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion. This issue affects Athens: from n/a through <= 1.1.6. | 2026-01-22 | not yet calculated | CVE-2025-49994 | https://patchstack.com/database/Wordpress/Theme/athens/vulnerability/wordpress-athens-theme-1-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| ovatheme--Movie Booking | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal. This issue affects Movie Booking: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-67963 | https://patchstack.com/database/Wordpress/Plugin/movie-booking/vulnerability/wordpress-movie-booking-plugin-1-1-5-arbitrary-file-deletion-vulnerability?_s_id=cve |
| owntone--owntone | A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63647 | https://github.com/archersec/poc/tree/master/owntone-server https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Paolo--GeoDirectory | Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery. This issue affects GeoDirectory: from n/a through <= 2.8.147. | 2026-01-23 | not yet calculated | CVE-2026-24549 | https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Passionate Brains--Add Expires Headers & Optimized Minify | Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Expires Headers & Optimized Minify: from n/a through <= 3.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24633 | https://patchstack.com/database/Wordpress/Plugin/add-expires-headers/vulnerability/wordpress-add-expires-headers-optimized-minify-plugin-3-1-0-broken-access-control-vulnerability?_s_id=cve |
| pavothemes--Freshio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Freshio freshio allows PHP Local File Inclusion. This issue affects Freshio: from n/a through <= 2.4.2. | 2026-01-22 | not yet calculated | CVE-2026-22401 | https://patchstack.com/database/Wordpress/Theme/freshio/vulnerability/wordpress-freshio-theme-2-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| pavothemes--Triply | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion. This issue affects Triply: from n/a through <= 2.4.7. | 2026-01-22 | not yet calculated | CVE-2026-22402 | https://patchstack.com/database/Wordpress/Theme/triply/vulnerability/wordpress-triply-theme-2-4-7-local-file-inclusion-vulnerability?_s_id=cve |
| peachpayments--Peach Payments Gateway | Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Peach Payments Gateway: from n/a through <= 3.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67942 | https://patchstack.com/database/Wordpress/Plugin/wc-peach-payments-gateway/vulnerability/wordpress-peach-payments-gateway-plugin-3-3-6-broken-access-control-vulnerability?_s_id=cve |
| PenciDesign--Penci Pay Writer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Pay Writer penci-pay-writer allows Stored XSS. This issue affects Penci Pay Writer: from n/a through <= 1.5. | 2026-01-23 | not yet calculated | CVE-2026-24601 | https://patchstack.com/database/Wordpress/Plugin/penci-pay-writer/vulnerability/wordpress-penci-pay-writer-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Review | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS. This issue affects Penci Review: from n/a through <= 3.5. | 2026-01-23 | not yet calculated | CVE-2026-24600 | https://patchstack.com/database/Wordpress/Plugin/penci-review/vulnerability/wordpress-penci-review-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Shortcodes & Performance | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS. This issue affects Penci Shortcodes & Performance: from n/a through <= 6.1. | 2026-01-22 | not yet calculated | CVE-2026-24354 | https://patchstack.com/database/Wordpress/Plugin/penci-shortcodes/vulnerability/wordpress-penci-shortcodes-performance-plugin-6-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| pencilwp--X Addons for Elementor | Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects X Addons for Elementor: from n/a through <= 1.0.23. | 2026-01-23 | not yet calculated | CVE-2026-24605 | https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-broken-access-control-vulnerability?_s_id=cve |
| PHPgurukul--PHPgurukul | PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Forgery (CSRF) protection on all administrative forms. An attacker can perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. | 2026-01-22 | not yet calculated | CVE-2025-70899 | https://phpgurukul.com/online-course-registration-free-download/ https://github.com/mathavamoorthi/CVE-2025-70899/blob/main/Missing_CSRF_protection_poc.md |
| Pithikos--Pithikos | An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components. | 2026-01-20 | not yet calculated | CVE-2025-66902 | https://github.com/cyberinvest211/websocket-server-vuln-poc/tree/main |
| pixelgrade--Nova Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Nova Blocks nova-blocks allows DOM-Based XSS. This issue affects Nova Blocks: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24528 | https://patchstack.com/database/Wordpress/Plugin/nova-blocks/vulnerability/wordpress-nova-blocks-plugin-2-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PluginOps--Landing Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginOps Landing Page Builder page-builder-add allows Stored XSS. This issue affects Landing Page Builder: from n/a through <= 1.5.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24620 | https://patchstack.com/database/Wordpress/Plugin/page-builder-add/vulnerability/wordpress-landing-page-builder-plugin-1-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pondol--Pondol BBS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS. This issue affects Pondol BBS: from n/a through <= 1.1.8.4. | 2026-01-22 | not yet calculated | CVE-2025-49336 | https://patchstack.com/database/Wordpress/Plugin/pondol-bbs/vulnerability/wordpress-pondol-bbs-plugin-1-1-8-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PopCash--PopCash.Net Code Integration Tool | Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PopCash.Net Code Integration Tool: from n/a through <= 1.8. | 2026-01-23 | not yet calculated | CVE-2026-24619 | https://patchstack.com/database/Wordpress/Plugin/popcashnet-code-integration-tool/vulnerability/wordpress-popcash-net-code-integration-tool-plugin-1-8-broken-access-control-vulnerability?_s_id=cve |
| POSIMYTH--Nexter Blocks | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data. This issue affects Nexter Blocks: from n/a through <= 4.6.3. | 2026-01-22 | not yet calculated | CVE-2026-24377 | https://patchstack.com/database/Wordpress/Plugin/the-plus-addons-for-block-editor/vulnerability/wordpress-nexter-blocks-plugin-4-6-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Poultry Farm Management System--Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'companyaddress', 'companyemail', 'companyname', 'country', 'mobilenumber' y 'regno' parameters in '/farm/farmprofile.php'. | 2026-01-20 | not yet calculated | CVE-2025-41024 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Poultry Farm Management System--Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'category' y 'product' parameters in '/farm/sell_product.php'. | 2026-01-20 | not yet calculated | CVE-2025-41025 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Prince--Integrate Google Drive | Missing Authorization vulnerability in Prince Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through <= 1.5.5. | 2026-01-23 | not yet calculated | CVE-2026-24540 | https://patchstack.com/database/Wordpress/Plugin/integrate-google-drive/vulnerability/wordpress-integrate-google-drive-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve |
| Prince--Radio Player | Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-player allows Server Side Request Forgery. This issue affects Radio Player: from n/a through <= 2.0.91. | 2026-01-23 | not yet calculated | CVE-2026-24548 | https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Proptech Plugin--Apimo Connector | Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apimo Connector: from n/a through <= 2.6.4. | 2026-01-22 | not yet calculated | CVE-2026-22445 | https://patchstack.com/database/Wordpress/Plugin/apimo/vulnerability/wordpress-apimo-connector-plugin-2-6-4-broken-access-control-vulnerability?_s_id=cve |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-69198 | https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607 |
| pterodactyl--panel | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue. | 2026-01-19 | not yet calculated | CVE-2025-69199 | https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98 |
| pterodactyl--wings | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-21696 | https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86 |
| purethemes--WorkScout | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS. This issue affects WorkScout: from n/a through <= 4.1.07. | 2026-01-22 | not yet calculated | CVE-2025-67959 | https://patchstack.com/database/Wordpress/Theme/workscout/vulnerability/wordpress-workscout-theme-4-1-07-cross-site-scripting-xss-vulnerability?_s_id=cve |
| purethemes--WorkScout-Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS. This issue affects WorkScout-Core: from n/a through <= 1.7.06. | 2026-01-22 | not yet calculated | CVE-2025-67960 | https://patchstack.com/database/Wordpress/Plugin/workscout-core/vulnerability/wordpress-workscout-core-plugin-1-7-06-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| PyPI--PiPI | An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. | 2026-01-20 | not yet calculated | CVE-2025-56005 | https://github.com/bohmiiidd/Undocumented-RCE-in-PLY |
| Python Software Foundation--CPython | When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. | 2026-01-20 | not yet calculated | CVE-2025-11468 | https://github.com/python/cpython/pull/143936 https://github.com/python/cpython/issues/143935 https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/ https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2 |
| Python Software Foundation--CPython | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | 2026-01-21 | not yet calculated | CVE-2025-12781 | https://github.com/python/cpython/pull/141128 https://github.com/python/cpython/issues/125346 https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/ https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947 https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5 https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76 https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5 |
| Python Software Foundation--CPython | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | 2026-01-20 | not yet calculated | CVE-2025-15282 | https://github.com/python/cpython/pull/143926 https://github.com/python/cpython/issues/143925 https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/ https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0 |
| Python Software Foundation--CPython | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15366 | https://github.com/python/cpython/issues/143921 https://github.com/python/cpython/pull/143922 https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/ https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45 |
| Python Software Foundation--CPython | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15367 | https://github.com/python/cpython/pull/143924 https://github.com/python/cpython/issues/143923 https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/ https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7 |
| Python Software Foundation--CPython | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | 2026-01-20 | not yet calculated | CVE-2026-0672 | https://github.com/python/cpython/pull/143920 https://github.com/python/cpython/issues/143919 https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/ https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70 https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440 |
| Python Software Foundation--CPython | User-controlled header names and values containing newlines can allow injecting HTTP headers. | 2026-01-20 | not yet calculated | CVE-2026-0865 | https://github.com/python/cpython/pull/143917 https://github.com/python/cpython/issues/143916 https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/ https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58 https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510 https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5 https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211 https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2 https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995 |
| Python Software Foundation--CPython | The email module, specifically the "BytesGenerator" class, didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | 2026-01-23 | not yet calculated | CVE-2026-1299 | https://github.com/python/cpython/pull/144126 https://github.com/python/cpython/issues/144125 https://cve.org/CVERecord?id=CVE-2024-6923 https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/ https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413 |
| Python--Protobuf | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError. | 2026-01-23 | not yet calculated | CVE-2026-0994 | https://github.com/protocolbuffers/protobuf/pull/25239 |
| QantumThemes--Kentha Elementor Widgets | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion. This issue affects Kentha Elementor Widgets: from n/a through < 3.1. | 2026-01-22 | not yet calculated | CVE-2026-24390 | https://patchstack.com/database/Wordpress/Plugin/kentha-elementor/vulnerability/wordpress-kentha-elementor-widgets-plugin-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| QantumThemes--KenthaRadio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS. This issue affects KenthaRadio: from n/a through <= 2.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69003 | https://patchstack.com/database/Wordpress/Theme/qt-kentharadio/vulnerability/wordpress-kentharadio-theme-2-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| QOS.CH Sarl--Logback-core | ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado. | 2026-01-22 | not yet calculated | CVE-2026-1225 | https://logback.qos.ch/news.html#1.5.25 |
| Raptive--Raptive Ads | Missing Authorization vulnerability in Raptive Raptive Ads adthrive-ads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Raptive Ads: from n/a through <= 3.10.0. | 2026-01-23 | not yet calculated | CVE-2026-24602 | https://patchstack.com/database/Wordpress/Plugin/adthrive-ads/vulnerability/wordpress-raptive-ads-plugin-3-10-0-broken-access-control-vulnerability?_s_id=cve |
| Rasedul Haque Rumi--BD Courier Order Ratio Checker | Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2026-22481 | https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve |
| RealMag777--TableOn | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS. This issue affects TableOn: from n/a through <= 1.0.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69316 | https://patchstack.com/database/Wordpress/Plugin/posts-table-filterable/vulnerability/wordpress-tableon-plugin-1-0-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Remi Corson--Easy Theme Options | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Remi Corson Easy Theme Options easy-theme-options allows Reflected XSS. This issue affects Easy Theme Options: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-68839 | https://patchstack.com/database/Wordpress/Plugin/easy-theme-options/vulnerability/wordpress-easy-theme-options-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| renatoatshown--Shown Connector | Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shown Connector: from n/a through <= 1.2.10. | 2026-01-22 | not yet calculated | CVE-2025-68003 | https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve |
| Revive--Revive Adserver | HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. | 2026-01-20 | not yet calculated | CVE-2026-21640 | https://hackerone.com/reports/3445332 |
| Revive--Revive Adserver | HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts. | 2026-01-20 | not yet calculated | CVE-2026-21641 | https://hackerone.com/reports/3445710 |
| Revive--Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21642 | https://hackerone.com/reports/3470970 |
| Revive--Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21663 | https://hackerone.com/reports/3473696 |
| Revive--Revive Adserver | HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21664 | https://hackerone.com/reports/3468169 |
| richardevcom--Add Polylang support for Customizer | Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery. This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2026-22462 | https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Riftzilla--QRGen | Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-40644 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-qrgens-riftzilla |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. | 2026-01-20 | not yet calculated | CVE-2025-9278 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9279 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. | 2026-01-20 | not yet calculated | CVE-2025-9280 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots | 2026-01-20 | not yet calculated | CVE-2025-9281 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9282 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9283 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. | 2026-01-20 | not yet calculated | CVE-2025-9464 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9465 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9466 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--CompactLogix 5370 | A denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover. | 2026-01-20 | not yet calculated | CVE-2025-11743 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1770.html |
| Rockwell Automation--ControlLogix Redundancy Enhanced Module | Multiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios. Exploitation may cause the device to become unresponsive and, in some cases, result in a major nonrecoverable fault. Recovery may require a restart. | 2026-01-20 | not yet calculated | CVE-2025-14027 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1769.html |
| Rockwell Automation--Verve Asset Manager | A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14376 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Rockwell Automation--Verve Asset Manager | A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14377 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Roxnor--GetGenie | Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GetGenie: from n/a through <= 4.3.0. | 2026-01-22 | not yet calculated | CVE-2026-24356 | https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve |
| Ruijie Networks Co., Ltd.--AP180(JA) V1.xx | AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices. | 2026-01-22 | not yet calculated | CVE-2026-23699 | https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument https://jvn.jp/en/jp/JVN86850670/ |
| RuoYi--RuoYi | Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. | 2026-01-23 | not yet calculated | CVE-2025-70985 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDK2 https://gist.github.com/old6ma/1a2dada02656ba9a4730c85f6c765f4f |
| RuoYi--RuoYi | Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. | 2026-01-23 | not yet calculated | CVE-2025-70986 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDME https://gist.github.com/old6ma/779320a98f361c299ca024521cb72db6 |
| Rustaurius--Ultimate Reviews | Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Reviews: from n/a through <= 3.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24634 | https://patchstack.com/database/Wordpress/Plugin/ultimate-reviews/vulnerability/wordpress-ultimate-reviews-plugin-3-2-16-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Ryviu--Ryviu – Product Reviews for WooCommerce | Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ryviu – Product Reviews for WooCommerce: from n/a through <= 3.1.26. | 2026-01-23 | not yet calculated | CVE-2026-24562 | https://patchstack.com/database/Wordpress/Plugin/ryviu/vulnerability/wordpress-ryviu-product-reviews-for-woocommerce-plugin-3-1-26-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--AppExperts | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection. This issue affects AppExperts: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2025-68881 | https://patchstack.com/database/Wordpress/Plugin/appexperts/vulnerability/wordpress-appexperts-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve |
| saeros1984--Neoforum | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in saeros1984 Neoforum neoforum allows Reflected XSS. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24623 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| saeros1984--Neoforum | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24624 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve |
| saleor--saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner. | 2026-01-21 | not yet calculated | CVE-2026-22849 | https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386 https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d https://docs.saleor.io/security/#editorjs--html-cleaning |
| saleor--saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`. | 2026-01-21 | not yet calculated | CVE-2026-23499 | https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95 https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99 https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10 https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24 https://docs.saleor.io/security/#restricted-file-uploads |
| saleor--saleor | Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF. | 2026-01-23 | not yet calculated | CVE-2026-24136 | https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153 https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944 |
| Salesforce--Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22582 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22583 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22585 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22586 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Scalenut--Scalenut | Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scalenut: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68882 | https://patchstack.com/database/Wordpress/Plugin/scalenut/vulnerability/wordpress-scalenut-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| scriptsbundle--AdForest | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion. This issue affects AdForest: from n/a through <= 6.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67946 | https://patchstack.com/database/Wordpress/Theme/adforest/vulnerability/wordpress-adforest-theme-6-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| scriptsbundle--AdForest Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS. This issue affects AdForest Elementor: from n/a through <= 3.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67947 | https://patchstack.com/database/Wordpress/Plugin/adforest-elementor/vulnerability/wordpress-adforest-elementor-plugin-3-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| scriptsbundle--CarSpot | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS. This issue affects CarSpot: from n/a through < 2.4.6. | 2026-01-22 | not yet calculated | CVE-2025-69317 | https://patchstack.com/database/Wordpress/Theme/carspot/vulnerability/wordpress-carspot-theme-2-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SeaTheme--BM Content Builder | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal. This issue affects BM Content Builder: from n/a through <= 3.16.3. | 2026-01-22 | not yet calculated | CVE-2025-69055 | https://patchstack.com/database/Wordpress/Plugin/bm-builder/vulnerability/wordpress-bm-content-builder-plugin-3-16-3-arbitrary-file-download-vulnerability?_s_id=cve |
| Select-Themes--Don Peppe | Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Don Peppe: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22450 | https://patchstack.com/database/Wordpress/Theme/donpeppe/vulnerability/wordpress-don-peppe-theme-1-3-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes--Prowess | Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Prowess: from n/a through <= 1.8.1. | 2026-01-22 | not yet calculated | CVE-2026-22447 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-1-8-1-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes--Prowess | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion. This issue affects Prowess: from n/a through <= 2.3. | 2026-01-23 | not yet calculated | CVE-2026-24531 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| SEOSEON EUROPE S.L--Affiliate Link Tracker | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker allows Stored XSS. This issue affects Affiliate Link Tracker: from n/a through <= 0.2. | 2026-01-22 | not yet calculated | CVE-2025-62077 | https://patchstack.com/database/Wordpress/Plugin/affiliate-link-tracker/vulnerability/wordpress-affiliate-link-tracker-plugin-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sergiy Dzysyak--Suggestion Toolkit | Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Suggestion Toolkit: from n/a through <= 5.0. | 2026-01-23 | not yet calculated | CVE-2026-24622 | https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve |
| SESAME LABS, S.L--Sesame | Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the 'logo' parameter in '/api/v3/companies/<ID>/logo', which are then stored on the server and executed in the context of any user who accesses the compromised resource. | 2026-01-20 | not yet calculated | CVE-2025-41084 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-sesame-web-application |
| Shahjahan Jewel--FluentForm | Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection. This issue affects FluentForm: from n/a through <= 6.1.11. | 2026-01-22 | not yet calculated | CVE-2025-69001 | https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-11-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| sheepfish--WebP Conversion | Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebP Conversion: from n/a through <= 2.1. | 2026-01-23 | not yet calculated | CVE-2026-24530 | https://patchstack.com/database/Wordpress/Plugin/webp-conversion/vulnerability/wordpress-webp-conversion-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| shinetheme--Traveler | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection. This issue affects Traveler: from n/a through < 3.2.8. | 2026-01-22 | not yet calculated | CVE-2026-24367 | https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve |
| shoutoutglobal--ShoutOut | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS. This issue affects ShoutOut: from n/a through <= 4.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68894 | https://patchstack.com/database/Wordpress/Plugin/shoutout/vulnerability/wordpress-shoutout-plugin-4-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SiteLock--SiteLock Security | Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SiteLock Security: from n/a through <= 5.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24532 | https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.] | 2026-01-19 | not yet calculated | CVE-2026-23847 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93 https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23850 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035 https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23851 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682 https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix. | 2026-01-19 | not yet calculated | CVE-2026-23852 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb |
| sizam--REHub Framework | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam REHub Framework rehub-framework allows Retrieve Embedded Sensitive Data. This issue affects REHub Framework: from n/a through < 19.9.9.4. | 2026-01-22 | not yet calculated | CVE-2025-63051 | https://patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| SmartDataSoft--Electrician - Electrical Service WordPress | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Electrician - Electrical Service WordPress electrician allows Server Side Request Forgery. This issue affects Electrician - Electrical Service WordPress: from n/a through <= 5.6. | 2026-01-22 | not yet calculated | CVE-2026-22358 | https://patchstack.com/database/Wordpress/Theme/electrician/vulnerability/wordpress-electrician-electrical-service-wordpress-theme-5-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmartDataSoft--Pool Services | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery. This issue affects Pool Services: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2025-62741 | https://patchstack.com/database/Wordpress/Theme/pool-services/vulnerability/wordpress-pool-services-theme-3-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host. | 2026-01-22 | not yet calculated | CVE-2026-23760 | https://www.smartertools.com/smartermail/release-notes/current https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/ https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application. | 2026-01-23 | not yet calculated | CVE-2026-24423 | https://www.smartertools.com/smartermail/release-notes/current https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api |
| Softwebmedia--Gyan Elements | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Softwebmedia Gyan Elements gyan-elements allows PHP Local File Inclusion. This issue affects Gyan Elements: from n/a through <= 2.2.1. | 2026-01-22 | not yet calculated | CVE-2026-23978 | https://patchstack.com/database/Wordpress/Plugin/gyan-elements/vulnerability/wordpress-gyan-elements-plugin-2-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| solacewp--Solace | Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Solace: from n/a through <= 2.1.16. | 2026-01-22 | not yet calculated | CVE-2025-68911 | https://patchstack.com/database/Wordpress/Theme/solace/vulnerability/wordpress-solace-theme-2-1-16-broken-access-control-vulnerability?_s_id=cve |
| Sourcecodester--Sourcecodester | A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise. | 2026-01-23 | not yet calculated | CVE-2025-70457 | https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983 |
| Sourcecodester--Sourcecodester | A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results. | 2026-01-23 | not yet calculated | CVE-2025-70458 | https://www.sourcecodester.com/php/18500/domain-availability-checker-using-php-and-javascript-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-chm7-vgf7-6f9p |
| SpringBlade--SpringBlade | Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | 2026-01-23 | not yet calculated | CVE-2025-70983 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/35 https://gist.github.com/old6ma/9c4d2ba32cd8f562cb80796538157912 |
| Steve Truman--Email Inquiry & Cart Options for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS. This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through <= 3.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24526 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-email-inquiry-cart-options/vulnerability/wordpress-email-inquiry-cart-options-for-woocommerce-plugin-3-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| storeapps--Stock Manager for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery. This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0. | 2026-01-22 | not yet calculated | CVE-2026-24365 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-stock-manager/vulnerability/wordpress-stock-manager-for-woocommerce-plugin-3-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Strategy11 Team--AWP Classifieds | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data. This issue affects AWP Classifieds: from n/a through <= 4.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24593 | https://patchstack.com/database/Wordpress/Plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| strongholdthemes--Dental Care CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Dental Care CPT dentalcare-cpt allows Object Injection. This issue affects Dental Care CPT: from n/a through <= 20.2. | 2026-01-22 | not yet calculated | CVE-2025-69035 | https://patchstack.com/database/Wordpress/Plugin/dentalcare-cpt/vulnerability/wordpress-dental-care-cpt-plugin-20-2-php-object-injection-vulnerability?_s_id=cve |
| strongholdthemes--Tech Life CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection. This issue affects Tech Life CPT: from n/a through <= 16.4. | 2026-01-22 | not yet calculated | CVE-2025-69036 | https://patchstack.com/database/Wordpress/Plugin/techlife-cpt/vulnerability/wordpress-tech-life-cpt-plugin-16-4-php-object-injection-vulnerability?_s_id=cve |
| subhansanjaya--Carousel Horizontal Posts Content Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS. This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2. | 2026-01-22 | not yet calculated | CVE-2026-22347 | https://patchstack.com/database/Wordpress/Plugin/carousel-horizontal-posts-content-slider/vulnerability/wordpress-carousel-horizontal-posts-content-slider-plugin-3-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sully--Media Library File Size | Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library File Size: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24569 | https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| sumup--SumUp Payment Gateway For WooCommerce | Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9. | 2026-01-23 | not yet calculated | CVE-2026-24583 | https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve |
| swingmx--swingmusic | Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23877 | https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3 |
| Syed Balkhi--Sugar Calendar (Lite) | Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sugar Calendar (Lite): from n/a through <= 3.10.1. | 2026-01-23 | not yet calculated | CVE-2026-24636 | https://patchstack.com/database/Wordpress/Plugin/sugar-calendar-lite/vulnerability/wordpress-sugar-calendar-lite-plugin-3-10-1-broken-access-control-vulnerability?_s_id=cve |
| tabbyai--Tabby Checkout | Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data. This issue affects Tabby Checkout: from n/a through <= 5.8.4. | 2026-01-22 | not yet calculated | CVE-2025-68035 | https://patchstack.com/database/Wordpress/Plugin/tabby-checkout/vulnerability/wordpress-tabby-checkout-plugin-5-8-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| tagDiv--tagDiv Composer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS. This issue affects tagDiv Composer: from n/a through <= 5.4.2. | 2026-01-22 | not yet calculated | CVE-2025-50005 | https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TangibleWP--Listivo Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion. This issue affects Listivo Core: from n/a through <= 2.3.77. | 2026-01-22 | not yet calculated | CVE-2025-67957 | https://patchstack.com/database/Wordpress/Plugin/listivo-core/vulnerability/wordpress-listivo-core-plugin-2-3-77-local-file-inclusion-vulnerability?_s_id=cve |
| TangibleWP--MyHome Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion. This issue affects MyHome Core: from n/a through <= 4.1.0. | 2026-01-22 | not yet calculated | CVE-2025-67955 | https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Tasos Fel--Civic Cookie Control | Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Civic Cookie Control: from n/a through <= 1.53. | 2026-01-22 | not yet calculated | CVE-2026-22348 | https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve |
| Taxcloud--TaxCloud for WooCommerce | Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. | 2026-01-22 | not yet calculated | CVE-2025-67958 | https://patchstack.com/database/Wordpress/Plugin/simple-sales-tax/vulnerability/wordpress-taxcloud-for-woocommerce-plugin-8-3-8-broken-access-control-vulnerability?_s_id=cve |
| temash--Barberry | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion. This issue affects Barberry: from n/a through <= 2.9.9.87. | 2026-01-22 | not yet calculated | CVE-2025-68908 | https://patchstack.com/database/Wordpress/Theme/barberry/vulnerability/wordpress-barberry-theme-2-9-9-87-local-file-inclusion-vulnerability?_s_id=cve |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the list parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69762 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d?pvs=74 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the vlanId parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69763 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4 |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution. | 2026-01-22 | not yet calculated | CVE-2025-69764 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the citytag stack buffer, which may result in memory corruption and remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69766 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70644 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/3/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70645 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/2/1.md |
| Tenda--Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_72290 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70646 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/5/1.md |
| Tenda--Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_727F4 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70648 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/6/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70650 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/1/1.md |
| Tenda--Tenda | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70651 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/4/1.md |
| The GNU C Library--glibc | Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. | 2026-01-20 | not yet calculated | CVE-2025-15281 | https://sourceware.org/bugzilla/show_bug.cgi?id=33814 |
| Theme-one--The Grid | Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Grid: from n/a through < 2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24368 | https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Cream Magazine | Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cream Magazine: from n/a through <= 2.1.10. | 2026-01-23 | not yet calculated | CVE-2026-24615 | https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Orchid Store | Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Orchid Store: from n/a through <= 1.5.15. | 2026-01-23 | not yet calculated | CVE-2026-24612 | https://patchstack.com/database/Wordpress/Theme/orchid-store/vulnerability/wordpress-orchid-store-theme-1-5-15-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Simple GDPR Cookie Compliance | Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24604 | https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Universal Google Adsense and Ads manager | Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24603 | https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve |
| Themefic--Hydra Booking | Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation. This issue affects Hydra Booking: from n/a through <= 1.1.32. | 2026-01-22 | not yet calculated | CVE-2025-68027 | https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-privilege-escalation-vulnerability?_s_id=cve |
| ThemeGoods--Craft | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS. This issue affects Craft: from n/a through <= 2.3.6. | 2026-01-22 | not yet calculated | CVE-2025-68538 | https://patchstack.com/database/Wordpress/Theme/craftcoffee/vulnerability/wordpress-craft-coffee-shop-cafe-restaurant-wordpress-theme-2-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--DotLife | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS. This issue affects DotLife: from n/a through < 4.9.5. | 2026-01-22 | not yet calculated | CVE-2025-68520 | https://patchstack.com/database/Wordpress/Theme/dotlife/vulnerability/wordpress-dotlife-theme-4-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Magazine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS. This issue affects Grand Magazine: from n/a through <= 3.5.7. | 2026-01-22 | not yet calculated | CVE-2025-69320 | https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Restaurant Theme Elements for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor allows Stored XSS. This issue affects Grand Restaurant Theme Elements for Elementor: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-63026 | https://patchstack.com/database/Wordpress/Plugin/grandrestaurant-elementor/vulnerability/wordpress-grand-restaurant-theme-elements-for-elementor-plugin-2-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Spa | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS. This issue affects Grand Spa: from n/a through <= 3.5.5. | 2026-01-22 | not yet calculated | CVE-2025-69321 | https://patchstack.com/database/Wordpress/Theme/grandspa/vulnerability/wordpress-grand-spa-theme-3-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Tour | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS. This issue affects Grand Tour: from n/a through < 5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67952 | https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Hoteller | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS. This issue affects Hoteller: from n/a through < 6.8.9. | 2026-01-22 | not yet calculated | CVE-2025-68518 | https://patchstack.com/database/Wordpress/Theme/hoteller/vulnerability/wordpress-hoteller-theme-6-8-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Photography | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion. This issue affects Photography: from n/a through < 7.7.5. | 2026-01-22 | not yet calculated | CVE-2025-68510 | https://patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeGoods--PhotoMe | Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery. This issue affects PhotoMe: from n/a through < 5.7.2. | 2026-01-22 | not yet calculated | CVE-2026-24381 | https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-7-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ThemeHunk--Contact Form & Lead Form Elementor Builder | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Retrieve Embedded Sensitive Data. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2025-68046 | https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| themepassion--Ultra Portfolio | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themepassion Ultra Portfolio ultra-portfolio allows Blind SQL Injection. This issue affects Ultra Portfolio: from n/a through <= 6.7. | 2026-01-22 | not yet calculated | CVE-2025-69180 | https://patchstack.com/database/Wordpress/Plugin/ultra-portfolio/vulnerability/wordpress-ultra-portfolio-plugin-6-7-sql-injection-vulnerability?_s_id=cve |
| ThemeREX--Sound | Musical Instruments Online Store | Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection. This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9. | 2026-01-22 | not yet calculated | CVE-2025-69079 | https://patchstack.com/database/Wordpress/Theme/musicplace/vulnerability/wordpress-sound-musical-instruments-online-store-theme-1-6-9-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| themeton--Consult Aid | Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection. This issue affects Consult Aid: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67617 | https://patchstack.com/database/Wordpress/Theme/consultaid/vulnerability/wordpress-consult-aid-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve |
| Themeum--Tutor LMS | Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tutor LMS: from n/a through <= 3.9.4. | 2026-01-22 | not yet calculated | CVE-2025-47555 | https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Themeum--Tutor LMS BunnyNet Integration | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS. This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24584 | https://patchstack.com/database/Wordpress/Plugin/tutor-lms-bunnynet-integration/vulnerability/wordpress-tutor-lms-bunnynet-integration-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThimPress--LearnPress – Course Review | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS. This issue affects LearnPress – Course Review: from n/a through <= 4.1.9. | 2026-01-22 | not yet calculated | CVE-2026-24361 | https://patchstack.com/database/Wordpress/Plugin/learnpress-course-review/vulnerability/wordpress-learnpress-course-review-plugin-4-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tickera--Tickera | Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tickera: from n/a through <= 3.5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67939 | https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve |
| Timur Kamaev--Kama Thumbnail | Cross-Site Request Forgery (CSRF) vulnerability in Timur Kamaev Kama Thumbnail kama-thumbnail allows Cross Site Request Forgery. This issue affects Kama Thumbnail: from n/a through <= 3.5.1. | 2026-01-23 | not yet calculated | CVE-2026-24521 | https://patchstack.com/database/Wordpress/Plugin/kama-thumbnail/vulnerability/wordpress-kama-thumbnail-plugin-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| tinyMOTT--tinyMOTT | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack. | 2026-01-20 | not yet calculated | CVE-2025-56353 | https://github.com/JustDoIt0910/tinyMQTT/issues/19 |
| TMS Global--TMS Global | A path traversal vulnerability exists in TMS Management Console (version 6.3.7.27386.20250818) from TMS Global Software. The "Download Template" function in the profile dashboard does not neutralize directory traversal sequences (../) in the filePath parameter, allowing authenticated users to read arbitrary files, such as the server's Web.config. | 2026-01-22 | not yet calculated | CVE-2025-69612 | http://tms.com https://tmsglobalsoft.com/ https://github.com/Cr0wld3r/CVE-2025-69612/blob/main/PoC.md |
| TMS Global--TMS Global | File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit | 2026-01-22 | not yet calculated | CVE-2025-69828 | https://tmsglobalsoft.com https://github.com/ZuoqTr/CVE/blob/main/CVE-2025-69828.md |
| TopDesk--TopDesk | An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. | 2026-01-23 | not yet calculated | CVE-2025-67229 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-001 |
| TopDesktop--TopDesktop | Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. | 2026-01-23 | not yet calculated | CVE-2025-67230 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-002 |
| TopDesktop--TopDesktop | A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. | 2026-01-23 | not yet calculated | CVE-2025-67231 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-003 |
| topdevs--Smart Product Viewer | Missing Authorization vulnerability in topdevs Smart Product Viewer smart-product-viewer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Product Viewer: from n/a through <= 1.5.4. | 2026-01-23 | not yet calculated | CVE-2026-24588 | https://patchstack.com/database/Wordpress/Plugin/smart-product-viewer/vulnerability/wordpress-smart-product-viewer-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve |
| TP-Link Systems Inc.--Archer C20 v6.0, Archer AX53 v1.0 | Logic vulnerability in TP-Link Archer C20 v6.0 and Archer AX53 v1.0 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031. Archer AX53 v1.0 < V1_251215 | 2026-01-21 | not yet calculated | CVE-2026-0834 | https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://mattg.systems/posts/cve-2026-0834/ |
| TP-Link Systems Inc.--Omada Software Controller | A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator's browser, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9289 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/us/document/114950/ |
| TP-Link Systems Inc.--Omada Software Controller | An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9290 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/en/download/ https://support.omadanetworks.com/us/document/114950/ |
| Trimble--SketchUp | Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27769. | 2026-01-23 | not yet calculated | CVE-2025-15062 | ZDI-25-1198 |
| Trusona--Trusona for WordPress | Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusona for WordPress: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24627 | https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| TYPO3--Extension "Mailqueue" | The extension extends TYPO3' FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . | 2026-01-20 | not yet calculated | CVE-2026-0895 | https://typo3.org/security/advisory/typo3-ext-sa-2026-001 https://github.com/CPS-IT/mailqueue/commit/fd09aa4e1a751551bae4b228bee814e22f2048db https://github.com/CPS-IT/mailqueue/commit/12a0a35027bb5609917790a94e43bbf117abf733 |
| Unknown--Bookingor | The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | 2026-01-20 | not yet calculated | CVE-2025-12573 | https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/ |
| upnp--upnp | A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection. | 2026-01-20 | not yet calculated | CVE-2025-55423 | https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json |
| uPress--Booter | Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booter: from n/a through <= 1.5.7. | 2026-01-23 | not yet calculated | CVE-2026-24534 | https://patchstack.com/database/Wordpress/Plugin/booter-bots-crawlers-manager/vulnerability/wordpress-booter-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve |
| Upsonic--Upsonic | Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845. | 2026-01-23 | not yet calculated | CVE-2026-0773 | ZDI-26-042 |
| uxper--Golo | Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23974 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve |
| uxper--Golo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23975 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| VB-Audio Software--Matrix | VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer and, upon receiving IOCTL 0x222060, maps it into user space using an MDL and MmMapLockedPagesSpecifyCache. Because the allocation size is not page-aligned, the mapping exposes the entire 0x1000-byte kernel page containing the buffer plus adjacent non-paged pool allocations with read/write permissions. An unprivileged local attacker can open a device handle (using the required 0x800 attribute flag), invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers present on that page. This enables bypass of KASLR, arbitrary kernel memory read/write within the exposed page, corruption of kernel objects, and escalation to SYSTEM. | 2026-01-22 | not yet calculated | CVE-2026-23763 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23763 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-matrix-drivers-local-privilege-escalation-via-kernel-memory-exposure |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23761 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23761 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-improper-file-object-fscontext-initialization |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23762 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23762 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-mmmaplockedpagesspecifycache |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23764 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23764 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-corrupted-ioallocatemdl-length |
| VEGA--VEGA | An issue in Beat XP VEGA Smartwatch (Firmware Version - RB303ATV006229) allows an attacker to cause a denial of service via the BLE connection | 2026-01-22 | not yet calculated | CVE-2025-69821 | https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment/blob/main/BeatXP_Vega_Smartwatch_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment.git |
| VibeThemes--WPLMS | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal. This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | 2026-01-22 | not yet calculated | CVE-2025-69097 | https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Vladimir Statsenko--Terms descriptions | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS. This issue affects Terms descriptions: from n/a through <= 3.4.9. | 2026-01-23 | not yet calculated | CVE-2026-24621 | https://patchstack.com/database/Wordpress/Plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Vollstart--Event Tickets with Ticket Scanner | Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection. This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3. | 2026-01-22 | not yet calculated | CVE-2025-68015 | https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve |
| vrpr--WDV One Page Docs | Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WDV One Page Docs: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2025-68896 | https://patchstack.com/database/Wordpress/Plugin/wdv-one-page-docs/vulnerability/wordpress-wdv-one-page-docs-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| WANotifier--WANotifier | Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through <= 2.7.12. | 2026-01-22 | not yet calculated | CVE-2025-68020 | https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve |
| WatchYourLAN--WatchYourLAN | WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708. | 2026-01-23 | not yet calculated | CVE-2026-0774 | ZDI-26-039 |
| wbolt.com--IMGspider | Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery. This issue affects IMGspider: from n/a through <= 2.3.12. | 2026-01-22 | not yet calculated | CVE-2026-22482 | https://patchstack.com/database/Wordpress/Plugin/imgspider/vulnerability/wordpress-imgspider-plugin-2-3-12-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Web Impian--Bayarcash WooCommerce | Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bayarcash WooCommerce: from n/a through <= 4.3.11. | 2026-01-23 | not yet calculated | CVE-2026-24606 | https://patchstack.com/database/Wordpress/Plugin/bayarcash-wc/vulnerability/wordpress-bayarcash-woocommerce-plugin-4-3-11-broken-access-control-vulnerability?_s_id=cve |
| WebAppick--CTX Feed | Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CTX Feed: from n/a through <= 6.6.18. | 2026-01-22 | not yet calculated | CVE-2026-22461 | https://patchstack.com/database/Wordpress/Plugin/webappick-product-feed-for-woocommerce/vulnerability/wordpress-ctx-feed-plugin-6-6-15-broken-access-control-vulnerability?_s_id=cve |
| webdevstudios--Automatic Featured Images from Videos | Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Automatic Featured Images from Videos: from n/a through <= 1.2.7. | 2026-01-23 | not yet calculated | CVE-2026-24535 | https://patchstack.com/database/Wordpress/Plugin/automatic-featured-images-from-videos/vulnerability/wordpress-automatic-featured-images-from-videos-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| WebGeniusLab--iRecco Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion. This issue affects iRecco Core: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69046 | https://patchstack.com/database/Wordpress/Plugin/irecco-core/vulnerability/wordpress-irecco-core-plugin-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| WebPros--WebPros | An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-66428 | https://docs.plesk.com/release-notes/obsidian/change-log/#wordpress-toolkit-6.9.1 |
| webpushr--Webpushr | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data. This issue affects Webpushr: from n/a through <= 4.38.0. | 2026-01-23 | not yet calculated | CVE-2026-24536 | https://patchstack.com/database/Wordpress/Plugin/webpushr-web-push-notifications/vulnerability/wordpress-webpushr-plugin-4-38-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| Weintek--cMT3072XH | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges. | 2026-01-22 | not yet calculated | CVE-2025-14750 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| Weintek--cMT3072XH | A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-14751 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| WEN Solutions--Contact Form 7 GetResponse Extension | Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data. This issue affects Contact Form 7 GetResponse Extension: from n/a through <= 1.0.8. | 2026-01-23 | not yet calculated | CVE-2026-24557 | https://patchstack.com/database/Wordpress/Plugin/contact-form-7-getresponse-extension/vulnerability/wordpress-contact-form-7-getresponse-extension-plugin-1-0-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| whisper-money--whisper-money | Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23844 | https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74 https://github.com/whisper-money/whisper-money/pull/60 https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686 |
| winkm89--teachPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winkm89 teachPress teachpress allows Stored XSS. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22353 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| winkm89--teachPress | Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22483 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WisdmLabs--Edwiser Bridge | Missing Authorization vulnerability in WisdmLabs Edwiser Bridge edwiser-bridge allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Edwiser Bridge: from n/a through <= 4.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24570 | https://patchstack.com/database/Wordpress/Plugin/edwiser-bridge/vulnerability/wordpress-edwiser-bridge-plugin-4-3-2-broken-access-control-vulnerability?_s_id=cve |
| woofer696--Dinatur | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS. This issue affects Dinatur: from n/a through <= 1.18. | 2026-01-22 | not yet calculated | CVE-2025-68866 | https://patchstack.com/database/Wordpress/Plugin/dinatur/vulnerability/wordpress-dinatur-plugin-1-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WorklogPRO--WorklogPRO | The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. The vulnerability is exploited via a specially crafted payload placed in an issue's summary field | 2026-01-21 | not yet calculated | CVE-2025-57681 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/spaces/WLP/pages/3326574597/Security+Advisory+CVE-2025-57681+-+Stored+XSS+in+WorklogPRO+DC |
| WorklogPRO--WorklogPRO | The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action. | 2026-01-20 | not yet calculated | CVE-2025-67824 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/x/CAAdyg |
| WP Chill--Gallery PhotoBlocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS. This issue affects Gallery PhotoBlocks: from n/a through <= 1.3.2. | 2026-01-22 | not yet calculated | CVE-2026-24389 | https://patchstack.com/database/Wordpress/Plugin/photoblocks-grid-gallery/vulnerability/wordpress-gallery-photoblocks-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill--Modula Image Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Stored XSS. This issue affects Modula Image Gallery: from n/a through <= 2.13.4. | 2026-01-22 | not yet calculated | CVE-2026-23976 | https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Messiah--Ai Image Alt Text Generator for WP | Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24579 | https://patchstack.com/database/Wordpress/Plugin/ai-image-alt-text-generator-for-wp/vulnerability/wordpress-ai-image-alt-text-generator-for-wp-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah--Frontis Blocks | Server-Side Request Forgery (SSRF) vulnerability in WP Messiah Frontis Blocks frontis-blocks allows Server Side Request Forgery. This issue affects Frontis Blocks: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-68030 | https://patchstack.com/database/Wordpress/Plugin/frontis-blocks/vulnerability/wordpress-frontis-blocks-plugin-1-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| WP Swings--Points and Rewards for WooCommerce | Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5. | 2026-01-23 | not yet calculated | CVE-2026-24581 | https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve |
| WP Travel--WP Travel | Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Travel: from n/a through <= 11.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24568 | https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve |
| wpdive--ElementCamp | Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementCamp: from n/a through <= 2.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24556 | https://patchstack.com/database/Wordpress/Plugin/element-camp/vulnerability/wordpress-elementcamp-plugin-2-3-2-broken-access-control-vulnerability?_s_id=cve |
| wpeverest--User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.6. | 2026-01-22 | not yet calculated | CVE-2025-67956 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve |
| wpeverest--User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.9. | 2026-01-22 | not yet calculated | CVE-2026-24353 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| wphocus--My auctions allegro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2026-01-22 | not yet calculated | CVE-2025-67943 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| wphocus--My auctions allegro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows PHP Local File Inclusion. This issue affects My auctions allegro: from n/a through <= 3.6.33. | 2026-01-22 | not yet calculated | CVE-2026-22464 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-33-local-file-inclusion-vulnerability?_s_id=cve |
| wpjobportal--WP Job Portal | Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Job Portal: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2026-24379 | https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| wproyal--Bard | Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bard: from n/a through <= 2.229. | 2026-01-22 | not yet calculated | CVE-2025-63018 | https://patchstack.com/database/Wordpress/Theme/bard/vulnerability/wordpress-bard-theme-2-229-broken-access-control-vulnerability?_s_id=cve |
| wptravelengine--Travel Monster | Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel Monster: from n/a through <= 1.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24607 | https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| wpWave--Hide My WP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS. This issue affects Hide My WP: from n/a through <= 6.2.12. | 2026-01-22 | not yet calculated | CVE-2025-69098 | https://patchstack.com/database/Wordpress/Plugin/hide_my_wp/vulnerability/wordpress-hide-my-wp-plugin-6-2-12-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPXPO--PostX | Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PostX: from n/a through <= 5.0.3. | 2026-01-22 | not yet calculated | CVE-2025-69313 | https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve |
| XDocReport | A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. | 2026-01-20 | not yet calculated | CVE-2025-64087 | https://github.com/opensagres/xdocreport https://github.com/opensagres/xdocreport/pull/705 https://hackmd.io/@cuongnh/BJEnw7SAlg https://hackmd.io/@cuongnh/SkQvhEf0lx https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI- |
| XDocReport--XDocReport | An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | 2026-01-20 | not yet calculated | CVE-2025-65482 | https://github.com/opensagres/xdocreport https://drive.google.com/drive/folders/1hUyCznpBN7ivo5krmyJ4OQc_q626Hy5q?usp=sharing https://hackmd.io/@cuongnh/r1B7B8fJ-g https://hackmd.io/@cuongnh/rkJPCgSy-l https://github.com/AT190510-Cuong/CVE-2025-65482-XXE- |
| XLPlugins--NextMove Lite | Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NextMove Lite: from n/a through <= 2.23.0. | 2026-01-23 | not yet calculated | CVE-2026-24599 | https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| XpeedStudio--Bajaar - Highly Customizable WooCommerce WordPress Theme | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar allows PHP Local File Inclusion. This issue affects Bajaar - Highly Customizable WooCommerce WordPress Theme: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-69004 | https://patchstack.com/database/Wordpress/Theme/bajaar/vulnerability/wordpress-bajaar-highly-customizable-woocommerce-wordpress-theme-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Xpro--Xpro Elementor Addons | Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server. This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | 2026-01-22 | not yet calculated | CVE-2025-69312 | https://patchstack.com/database/Wordpress/Plugin/xpro-elementor-addons/vulnerability/wordpress-xpro-elementor-addons-plugin-1-4-19-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| xtemos--WoodMart | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection. This issue affects WoodMart: from n/a through <= 8.3.7. | 2026-01-22 | not yet calculated | CVE-2025-47600 | https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-7-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required. | 2026-01-23 | not yet calculated | CVE-2026-24128 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1 https://jira.xwiki.org/browse/XWIKI-23462 |
| yasir129--Turn Yoast SEO FAQ Block to Accordion | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion allows Stored XSS. This issue affects Turn Yoast SEO FAQ Block to Accordion: from n/a through <= 1.0.6. | 2026-01-23 | not yet calculated | CVE-2026-24591 | https://patchstack.com/database/Wordpress/Plugin/faq-schema-block-to-accordion/vulnerability/wordpress-turn-yoast-seo-faq-block-to-accordion-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| YITHEMES--YITH WooCommerce Request A Quote | Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Request A Quote: from n/a through <= 2.46.0. | 2026-01-22 | not yet calculated | CVE-2026-24366 | https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-request-a-quote/vulnerability/wordpress-yith-woocommerce-request-a-quote-plugin-2-46-0-broken-access-control-vulnerability?_s_id=cve |
| zhblue--hustoj | hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication. | 2026-01-21 | not yet calculated | CVE-2026-23873 | https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw |
| zohocrm--Zoho CRM Lead Magnet | Missing Authorization vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.8.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24595 | https://patchstack.com/database/Wordpress/Plugin/zoho-crm-forms/vulnerability/wordpress-zoho-crm-lead-magnet-plugin-1-8-1-5-broken-access-control-vulnerability?_s_id=cve |
| ZoomIt--DZS Video Gallery | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection. This issue affects DZS Video Gallery: from n/a through <= 12.37. | 2026-01-22 | not yet calculated | CVE-2025-49049 | https://patchstack.com/database/Wordpress/Plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-37-sql-injection-vulnerability?_s_id=cve |
| zozothemes--Miion | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68913 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| zozothemes--Miion | Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68986 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-arbitrary-file-upload-vulnerability?_s_id=cve |
| Zuinq Studio--IsMyGym | Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-41081 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-ismygym |
Vulnerability Summary for the Week of January 12, 2026
Posted on Tuesday January 20, 2026
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10-Strike--Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system. | 2026-01-15 | 9.8 | CVE-2021-47772 | ExploitDB-50472 Vendor Homepage |
| 10-Strike--Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation and execute code with system-level permissions. | 2026-01-15 | 7.8 | CVE-2021-47767 | ExploitDB-50494 Vendor Homepage |
| 4Homepages--4images | 4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter. | 2026-01-13 | 8.8 | CVE-2022-50806 | ExploitDB-51147 Official 4images Software Download Page VulnCheck Advisory: 4images 1.9 - Remote Command Execution (RCE) |
| ABB--ABB Ability OPTIMAX | Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. | 2026-01-16 | 8.1 | CVE-2025-14510 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch |
| Acer--Acer Backup Manager Module | Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnerability in the NTI IScheduleSvc service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\NTI\Acer Backup Manager\ to inject malicious executables that would run with elevated LocalSystem privileges. | 2026-01-16 | 7.8 | CVE-2021-47826 | ExploitDB-49889 Acer Official Homepage VulnCheck Advisory: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path |
| Acer--Acer Updater Service | Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47825 | ExploitDB-49890 Acer Official Homepage VulnCheck Advisory: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path |
| Acer--ePowerSvc | Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47823 | ExploitDB-49900 Acer Official Homepage VulnCheck Advisory: ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path |
| Adobe--Bridge | Bridge versions 15.1.2, 16.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21283 | https://helpx.adobe.com/security/products/bridge/apsb26-07.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21267 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21268 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21271 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21272 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21274 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21280 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe--InCopy | InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21281 | https://helpx.adobe.com/security/products/incopy/apsb26-04.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21275 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21276 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21277 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21304 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21307 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21298 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21299 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21305 | https://helpx.adobe.com/security/products/substance3d_painter/apsb26-10.html |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 5.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21306 | https://helpx.adobe.com/security/products/substance3d-sampler/apsb26-11.html |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21287 | https://helpx.adobe.com/security/products/substance3d_stager/apsb26-09.html |
| Advantech--IoTSuite and IoT Edge Products | Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet. | 2026-01-12 | 10 | CVE-2025-52694 | https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/ |
| agentfront--enclave | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm's core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0. | 2026-01-13 | 10 | CVE-2026-22686 | https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63 https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1 |
| ahmadgb--GeekyBot Generate AI Content Without Prompt, Chatbot and Lead Generation | The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page. | 2026-01-14 | 7.2 | CVE-2025-15266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b30e84db-c73f-4df2-9c88-c37a7e14c95b?source=cve https://wordpress.org/plugins/geeky-bot/ |
| Aimeos--Aimeos Laravel ecommerce platform | Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. | 2026-01-15 | 8.2 | CVE-2021-47763 | ExploitDB-50538 Vendor Homepage Aimeos Laravel E-Commerce Package |
| Aimone-Video-Converter--AimOne Video Converter | AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability in its registration form that causes application crashes. Attackers can generate a 7000-byte payload to trigger the denial of service and potentially exploit the software's registration mechanism. | 2026-01-13 | 9.8 | CVE-2023-54328 | ExploitDB-51196 AimOne Video Converter Software Informer Page Archived AimOne Software Website Vulnerability Reproduction Repository VulnCheck Advisory: AimOne Video Converter 2.04 Build 103 Buffer Overflow in Registration Form |
| Aiven-Open--bigquery-connector-for-apache-kafka | Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks. | 2026-01-16 | 7.7 | CVE-2026-23529 | https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/security/advisories/GHSA-3mg8-2g53-5gj4 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/commit/20ea3921c6fe72d605a033c1943b20f49eaba981 https://docs.cloud.google.com/support/bulletins#gcp-2025-005 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/releases/tag/v2.11.0 |
| ajseidl--AJS Footnotes | The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4da167e0-c1cf-496f-9b14-35fc70386be1?source=cve https://plugins.trac.wordpress.org/browser/ajs-footnotes/tags/1.0/ajs_footnotes.php?marks=138,271,303#L138 |
| Algo Solutions--Algo 8028 | Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request. | 2026-01-13 | 8.8 | CVE-2022-50909 | ExploitDB-50960 Algo Solutions Official Homepage Algo 8028 Firmware Downloads VulnCheck Advisory: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated) |
| Altium--Altium 365 | A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker's payload to execute in the context of the victim's authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. | 2026-01-15 | 9 | CVE-2026-1009 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator's browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | 2026-01-15 | 8 | CVE-2026-1010 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. | 2026-01-15 | 7.6 | CVE-2026-1008 | https://www.altium.com/platform/security-compliance/security-advisories |
| Ametys--Ametys CMS | Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules. | 2026-01-13 | 7.2 | CVE-2022-50937 | ExploitDB-50692 Vulnerability Lab Advisory Official Ametys CMS Homepage VulnCheck Advisory: Ametys CMS v4.4.1 - Cross Site Scripting (XSS) |
| amitmerchant1990--Markdownify | Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47837 | ExploitDB-49835 Markdownify GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdownify 1.2.0 - Persistent Cross-Site Scripting |
| anomalyco--opencode | OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216. | 2026-01-12 | 8.8 | CVE-2026-22812 | https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh |
| appsmithorg--appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker's domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93. | 2026-01-12 | 9.7 | CVE-2026-22794 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633 |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of "taoimr" service, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 10 | CVE-2025-61937 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server. | 2026-01-16 | 8.4 | CVE-2025-61943 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS standard user) to tamper with TCL Macro scripts and escalate privileges to OS system, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 8.8 | CVE-2025-64691 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. | 2026-01-16 | 8.1 | CVE-2025-64729 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server. | 2026-01-16 | 8.8 | CVE-2025-65118 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios. | 2026-01-16 | 7.1 | CVE-2025-64769 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Designer User) to embed OLE objects into graphics, and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements. | 2026-01-16 | 7.4 | CVE-2025-65117 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| Bdtask--Isshue Shopping Cart | Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks. | 2026-01-15 | 7.2 | CVE-2021-47769 | ExploitDB-50490 Vulnerability-Lab Disclosure Official Product Homepage |
| Beehive Forum--Beehive Forum | Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication. | 2026-01-13 | 7.5 | CVE-2022-50910 | ExploitDB-50923 Beehive Forum Official Website Beehive Forum SourceForge Project Proof of Concept Imgur VulnCheck Advisory: Beehive Forum - Account Takeover |
| Brother--Brother BRAgent | Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions. | 2026-01-15 | 7.8 | CVE-2020-36928 | ExploitDB-50010 BRAgent Webpage VulnCheck Advisory: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in print job processing by WSD on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14231 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XML processing of XPS file in Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14232 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Invalid free in CPCA file deletion processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14233 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in CPCA list processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14234 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XPS font fpgm data processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14235 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14236 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XPS font parse processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14237 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| checkpoint--Hramony SASE | A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. | 2026-01-14 | 7.5 | CVE-2025-9142 | https://support.checkpoint.com/results/sk/sk184557 |
| clevo--HotKey Clipboard | Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. Attackers can exploit the misconfigured service path to inject and execute arbitrary code by placing malicious executables in specific file system locations. | 2026-01-13 | 8.4 | CVE-2023-53984 | ExploitDB-51206 Archived Vendor Homepage VulnCheck Advisory: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path |
| Cmder--Cmder Console Emulator | Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability that allows attackers to trigger a denial of service condition through a maliciously crafted .cmd file. Attackers can create a specially constructed .cmd file with repeated characters to overwhelm the console emulator's buffer and crash the application. | 2026-01-15 | 9.8 | CVE-2021-47781 | ExploitDB-50401 Cmder GitHub Repository |
| Cobbr--Covenant | Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system. | 2026-01-13 | 9.8 | CVE-2020-36911 | ExploitDB-51141 Vendor Homepage Covenant GitHub Repository Archived Researcher Blog Exploit Repository Archived Maintainer Patch Announcement VulnCheck Advisory: Covenant 0.5 - Remote Code Execution (RCE) |
| Cobiansoft--Cobian Backup | Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50923 | ExploitDB-50810 Vendor Homepage Software Download Page VulnCheck Advisory: Cobian Backup 0.9 - Unquoted Service Path |
| code-projects--Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminUpdateUser.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-12 | 7.3 | CVE-2026-0852 | VDB-340447 | code-projects Online Music Site AdminUpdateUser.php sql injection VDB-340447 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734136 | code-projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/Learner636/CVE-smbmit/issues/2 https://code-projects.org/ |
| Connectify Inc--Connectify Hotspot | Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Connectify\ConnectifyService.exe' to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50929 | ExploitDB-50764 Official Vendor Homepage VulnCheck Advisory: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path |
| ConnectWise--PSA | In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user's browser when the affected content is displayed. | 2026-01-16 | 8.7 | CVE-2026-0695 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| Contpaqi--CONTPAQ AdminPAQ | CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50938 | ExploitDB-50690 CONTPAQi Official Software Download Page VulnCheck Advisory: CONTPAQi® AdminPAQ 14.0.0 - Unquoted Service Path |
| Cooler Master Technology Inc.--Cooler Master MasterPlus | CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50808 | ExploitDB-51159 CoolerMaster MasterPlus Official Homepage VulnCheck Advisory: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path |
| cotonti.com--Cotonti Siena | Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page. | 2026-01-15 | 7.2 | CVE-2021-47808 | ExploitDB-50016 Vendor Homepage Software Download VulnCheck Advisory: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-12166 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5214a399-21a4-4573-9840-1d5043781bc0?source=cve https://plugins.trac.wordpress.org/changeset/3408539/ |
| Cyberfox--Cyberfox Web Browser | Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47784 | ExploitDB-50336 Archived Cyberfox Web Browser Homepage |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-18 | 7.3 | CVE-2026-1125 | VDB-341717 | D-Link DIR-823X set_wifidog_settings sub_412E7C command injection VDB-341717 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734966 | D-Link DIR-823X Router V250416 Command Execution https://github.com/DavCloudz/cve/blob/main/D-link/DIR_823X/DIR-823X%20V250416%20Command%20Execution%20Vulnerability.md https://www.dlink.com/ |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2. | 2026-01-12 | 9.1 | CVE-2026-22252 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f |
| daschmi--GetContentFromURL | The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-14 | 7.2 | CVE-2025-14613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b83db6c7-09af-4707-a96b-ee551f27e3b7?source=cve https://plugins.trac.wordpress.org/browser/getcontentfromurl/trunk/classes/shortcode.class.php#L20 https://plugins.trac.wordpress.org/browser/getcontentfromurl/tags/1.0/classes/shortcode.class.php#L20 |
| dashboardbuilder--DASHBOARD BUILDER WordPress plugin for Charts and Graphs | The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output. | 2026-01-14 | 7.1 | CVE-2025-14615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51 |
| Dell--SupportAssist OS Recovery | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-13 | 7.5 | CVE-2025-46685 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| Delta Electronics--DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62581 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics--DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62582 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics--DIAView | Delta Electronics DIAView has Command Injection vulnerability. | 2026-01-16 | 7.8 | CVE-2026-0975 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00002_DIAView%20-Exposed%20Dangerous%20Method%20Remote%20Code%20Execution%20(CVE-2026-0975).pdf |
| denoland--deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path's extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6. | 2026-01-15 | 8.1 | CVE-2026-22864 | https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 https://github.com/denoland/deno/releases/tag/v2.5.6 |
| Denver--Smart Wifi Camera | Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system. | 2026-01-15 | 9.8 | CVE-2021-47796 | ExploitDB-50160 Official Product Homepage VulnCheck Advisory: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE) |
| dfir-iris--iris-web | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24. | 2026-01-12 | 9.6 | CVE-2026-22783 | https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7 |
| dharashah--Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server. | 2026-01-15 | 8.8 | CVE-2021-47757 | ExploitDB-50572 Product Webpage Product GitHub Repository Product Sourceforge Page |
| dharashah--Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. | 2026-01-15 | 8.8 | CVE-2021-47758 | ExploitDB-50571 Product Webpage Product GitHub Repository Product Sourceforge Page |
| Diskboss--DiskBoss Service | DiskBoss Service 12.2.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path locations to gain system-level access during service startup. | 2026-01-16 | 7.8 | CVE-2021-47822 | ExploitDB-49899 Official Vendor Homepage VulnCheck Advisory: DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path |
| Diskpulse--DiskPulse | DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36927 | ExploitDB-50012 Vendor Homepage VulnCheck Advisory: DiskPulse 13.6.14 - Unquoted Service Path |
| Disksavvy--Disk Savvy | Disk Savvy 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-15 | 7.8 | CVE-2021-47805 | ExploitDB-50024 Vendor Homepage VulnCheck Advisory: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path |
| Disksorter--Disk Sorter Enterprise | Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47809 | ExploitDB-50014 Vendor Homepage VulnCheck Advisory: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path |
| Disksorter--Disk Sorter Server | Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Server\bin\disksrs.exe' to inject malicious executables and escalate privileges. | 2026-01-16 | 7.8 | CVE-2021-47847 | ExploitDB-50013 Vendor Homepage VulnCheck Advisory: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path |
| divisupreme--Supreme Modules Lite Divi Theme, Extra Theme and Divi Builder | The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-15 | 8.8 | CVE-2025-13062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi |
| docmost--docmost | Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0. | 2026-01-15 | 7.1 | CVE-2026-22249 | https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg https://github.com/docmost/docmost/pull/1753 https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05 https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| Dolibarr--CRM | Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation. | 2026-01-15 | 7.2 | CVE-2021-47779 | ExploitDB-50432 Official Dolibarr Vendor Homepage Dolibarr GitHub Repository VulnCheck Advisory: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation |
| donknap--dpanel | DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2. | 2026-01-15 | 8.1 | CVE-2025-66292 | https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119 https://github.com/donknap/dpanel/releases/tag/v1.9.2 |
| Dupscout--Dup Scout | Dup Scout 13.5.28 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Dup Scout Server\bin\dupscts.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47806 | ExploitDB-50025 Vendor Homepage VulnCheck Advisory: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path |
| dupterminator--DupTerminator | DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can generate a payload of 8000 repeated characters to trigger the application to stop working on Windows 10. | 2026-01-16 | 7.5 | CVE-2021-47818 | ExploitDB-49917 DupTerminator Project Homepage VulnCheck Advisory: DupTerminator 1.4.5639.37199 - Denial of Service |
| dvcrn--Markright | Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. | 2026-01-16 | 7.2 | CVE-2021-47838 | ExploitDB-49834 Markright GitHub Repository Proof of Concept Video VulnCheck Advisory: Markright 1.0 - Persistent Cross-Site Scripting |
| Dynojet--Dynojet Power Core | Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access. | 2026-01-15 | 7.8 | CVE-2021-47773 | ExploitDB-50466 Official Vendor Homepage |
| E107--e107 CMS | e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface. | 2026-01-13 | 7.2 | CVE-2022-50939 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Upload Restriction Bypass with Path Traversal File Override |
| e107--e107 CMS | e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS. | 2026-01-13 | 9.8 | CVE-2022-50905 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Reflected XSS via Comment Flow |
| e107--e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature. | 2026-01-13 | 7.2 | CVE-2022-50907 | ExploitDB-50910 Official e107 CMS Vendor Homepage e107 CMS Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE |
| e107--e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory. | 2026-01-13 | 7.2 | CVE-2022-50916 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Upload restriction bypass (Authenticated [Admin])+ Server file override |
| EaseUS--EaseUS Data Recovery | EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50914 | ExploitDB-50886 EaseUS Official Homepage VulnCheck Advisory: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path |
| Elastic--Kibana | External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads. | 2026-01-14 | 8.6 | CVE-2026-0532 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524 |
| Emerson--Emerson PAC Machine Edition | Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50930 | ExploitDB-50745 Emerson Official Homepage Software Download Link VulnCheck Advisory: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path |
| En--Kingdia CD Extractor | Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell. | 2026-01-15 | 9.8 | CVE-2021-47774 | ExploitDB-50470 Software Download Page |
| envoyproxy--gateway | Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2. | 2026-01-12 | 8.8 | CVE-2026-22771 | https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22 |
| Epic Games--Epic Games Store | A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | 2026-01-15 | 8.8 | CVE-2025-61973 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2279 |
| Explorerplusplus--Explorer32++ | Explorer32++ 1.3.5.531 contains a buffer overflow vulnerability in Structured Exception Handler (SEH) records that allows attackers to execute arbitrary code. Attackers can exploit the vulnerability by providing a long file name argument over 396 characters to corrupt the SEH chain and potentially execute malicious code. | 2026-01-13 | 9.8 | CVE-2023-54334 | ExploitDB-51077 Archived Explorer++ Website VulnCheck Advisory: Explorer32++ 1.3.5.531 - Buffer overflow |
| Extplorer--eXtplorer | eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. | 2026-01-13 | 9.8 | CVE-2023-54335 | ExploitDB-51067 Official eXtplorer Product Homepage VulnCheck Advisory: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) |
| FeMiner--wms | A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1059 | VDB-341628 | FeMiner wms chkuser.php sql injection VDB-341628 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731236 | GitHub WMS (Warehouse Management System) V1.0 SQL Injection https://github.com/wangchaoxing/CVE/issues/1 |
| FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce | The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. | 2026-01-17 | 9.8 | CVE-2025-10484 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve https://woocommerce.com/products/registration-login-with-mobile-phone-number/ |
| Fortinet--FortiFone | An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests. | 2026-01-13 | 9.3 | CVE-2025-47855 | https://fortiguard.fortinet.com/psirt/FG-IR-25-260 |
| Fortinet--FortiSIEM | An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests. | 2026-01-13 | 9.4 | CVE-2025-64155 | https://fortiguard.fortinet.com/psirt/FG-IR-25-772 |
| Fortinet--FortiSwitchManager | A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets | 2026-01-13 | 7.4 | CVE-2025-25249 | https://fortiguard.fortinet.com/psirt/FG-IR-25-084 |
| Freeter--Freeter | Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47835 | ExploitDB-49833 Official Freeter Product Homepage Proof of Concept Video VulnCheck Advisory: Freeter 1.2.1 - Persistent Cross-Site Scripting |
| Gearboxcomputers--WifiHotSpot | WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in its WifiHotSpotService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47833 | ExploitDB-49845 WiFi Hotspot Product Page VulnCheck Advisory: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path |
| getarcaneapp--arcane | Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane's updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0. | 2026-01-15 | 9.1 | CVE-2026-23520 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8 https://github.com/getarcaneapp/arcane/pull/1468 https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4 https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0 |
| Getgrav--GravCMS | GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. | 2026-01-15 | 7.5 | CVE-2021-47812 | ExploitDB-49973 Official Grav CMS Homepage VulnCheck Advisory: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) |
| Getoutline--Outline | Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2023-54331 | ExploitDB-51128 Official Outline Product Homepage VulnCheck Advisory: Outline 1.6.0 - Unquoted Service Path |
| Github--Sandboxie Plus | Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47832 | ExploitDB-49842 Sandboxie Plus GitHub Repository VulnCheck Advisory: Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. | 2026-01-14 | 7.7 | CVE-2025-11224 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #573223 HackerOne Bug Bounty Report #3277291 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-64516 | https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46 https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27 https://github.com/glpi-project/glpi/releases/tag/10.0.21 https://github.com/glpi-project/glpi/releases/tag/11.0.3 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-66417 | https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9 |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. | 2026-01-16 | 9.8 | CVE-2026-1019 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-16 | 9.8 | CVE-2026-1021 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1018 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Statistics Database System | Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1022 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Gotac--Statistics Database System | Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. | 2026-01-16 | 7.5 | CVE-2026-1023 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Grocerycrud--Grocery crud | Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47811 | ExploitDB-49985 Vendor Homepage Software Download Page VulnCheck Advisory: Grocery crud 1.6.4 - 'order_by' SQL Injection |
| h3js--h3 | H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5. | 2026-01-15 | 8.9 | CVE-2026-23527 | https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097 |
| HCL Software--MyXalytics | HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk | 2026-01-16 | 7.4 | CVE-2025-59870 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128115 |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices. | 2026-01-13 | 8.2 | CVE-2025-37168 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37169 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37170 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37171 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37172 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system. | 2026-01-13 | 7.2 | CVE-2025-37173 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37174 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37175 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37181 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37182 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37183 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Instant On | A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets. | 2026-01-13 | 7.5 | CVE-2025-37165 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Instant On | A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. A malicious actor could leverage this vulnerability to conduct a Denial-of-Service attack on a target network. | 2026-01-13 | 7.5 | CVE-2025-37166 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Virtual Intranet Access (VIA) | A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. | 2026-01-13 | 7.8 | CVE-2025-37186 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04994en_us&docLocale=en_US |
| Hikvision--DS-96xxxNI-Hx | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66177 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| Hikvision--DS-K1T331 | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66176 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the JWT header's alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22817 | https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4 https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22818 | https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4 https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134 |
| Httpdebugger--HTTPDebuggerPro | HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system. | 2026-01-15 | 7.8 | CVE-2021-47762 | ExploitDB-50545 Official Product Homepage |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68955 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68956 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68957 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68958 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68960 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function. | 2026-01-14 | 7.8 | CVE-2025-68968 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| I-Funbox--iFunbox | iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47803 | ExploitDB-50040 iFunbox Official Homepage VulnCheck Advisory: iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path |
| ilwebmaster21--WOW21 | WOW21 5.0.1.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50921 | ExploitDB-50818 Archived Product Homepage VulnCheck Advisory: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path |
| ImpressCMS--ImpressCMS | ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server. | 2026-01-13 | 9.8 | CVE-2022-50912 | ExploitDB-50890 Official ImpressCMS Homepage ImpressCMS GitHub Repository VulnCheck Advisory: ImpressCMS 1.4.4 - Unrestricted File Upload |
| Inbit--Inbit Messenger | Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger's protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload to trigger the vulnerability and execute commands with system privileges. | 2026-01-13 | 9.8 | CVE-2023-54329 | ExploitDB-51127 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE) |
| Inbit--Inbit Messenger | Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targeting the messenger's network handler to overwrite the Structured Exception Handler (SEH) and execute shellcode on vulnerable Windows systems. | 2026-01-13 | 9.8 | CVE-2023-54330 | ExploitDB-51126 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote SEH Overflow |
| Infonetsoftware--Mediconta | Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\medicont3\ to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2023-54336 | ExploitDB-51064 Vendor Homepage VulnCheck Advisory: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12050 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12051 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12052 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12053 | https://www.insyde.com/security-pledge/sa-2025010/ |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2. | 2026-01-13 | 8.8 | CVE-2026-22861 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-vr49-3vf8-7j5h https://github.com/InternationalColorConsortium/iccDEV/pull/475 https://github.com/InternationalColorConsortium/iccDEV/pull/476 https://github.com/InternationalColorConsortium/iccDEV/commit/fa9a364c01fc2e59eb2291e1f9b1c1359b7d5329 |
| ITEC--TCQ | ITeC ITeCProteccioAppServer contains an unquoted service path vulnerability that allows local attackers to execute code with elevated system privileges. Attackers can insert a malicious executable in the service path to gain elevated access during service restart or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50913 | ExploitDB-50902 Vendor Homepage VulnCheck Advisory: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path |
| itsourcecode--Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-18 | 7.3 | CVE-2026-1119 | VDB-341711 | itsourcecode Society Management System delete_activity.php sql injection VDB-341711 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734290 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/1 https://itsourcecode.com/ |
| IVT Corp--Bluetooth Application BlueSoleilCS | BlueSoleilCS 5.4.277 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in 'C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe' to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50928 | ExploitDB-50761 Archived IVT Corporation Website VulnCheck Advisory: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path |
| jeroenpeters1986--Name Directory | The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15283 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38 https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927 |
| jokkedk--Webgrind | Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system. | 2026-01-13 | 9.8 | CVE-2023-54339 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter |
| jotron--StudyMD | StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47842 | ExploitDB-49832 StudyMD GitHub Repository Proof of Concept Video VulnCheck Advisory: StudyMD 0.3.2 - Persistent Cross-Site Scripting |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server. By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in 'forward-only' mode with Option 82, the device should drop the message unless 'trust-option82' is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server's address pool, ultimately leading to address pool exhaustion. This issue affects Junos OS: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * all versions of 22.2, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2. Junos OS Evolved: * all versions before 21.4R3-S12-EVO, * all versions of 22.2-EVO, * from 22.4 before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 7.4 | CVE-2025-59960 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103149 |
| Juniper Networks--Junos OS | A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring: [ protocols bgp ... disable-4byte-as ] Established BGP sessions can be checked by executing: show bgp neighbor <IP address> | match "4 byte AS" This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 7.5 | CVE-2025-60003 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103166 |
| Juniper Networks--Junos OS | A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS). On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC. This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue. This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21905 | https://supportportal.juniper.net/JSA106004 https://kb.juniper.net/JSA106004 |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart. When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing. Note that PMI with GRE performance acceleration is only supported on specific SRX platforms. This issue affects Junos OS on the SRX Series: * all versions before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21906 | https://supportportal.juniper.net/JSA106005 https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-powermode-ipsec-vpn.html https://kb.juniper.net/JSA106005 |
| Juniper Networks--Junos OS | A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS: * from 23.2R2-S1 before 23.2R2-S5, * from 23.4R2 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S2, 25.2R2; Junos OS Evolved: * from 23.2R2-S1 before 23.2R2-S5-EVO, * from 23.4R2 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S3-EVO, * from 24.4 before 24.4R2-S1-EVO, * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO. | 2026-01-15 | 7.1 | CVE-2026-21908 | https://supportportal.juniper.net/JSA106007 https://kb.juniper.net/JSA106007 |
| Juniper Networks--Junos OS | An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted. The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message: reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2. This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1. | 2026-01-15 | 7.5 | CVE-2026-21913 | https://supportportal.juniper.net/JSA106014 https://kb.juniper.net/JSA106014 |
| Juniper Networks--Junos OS | An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21914 | https://supportportal.juniper.net/JSA106015 https://kb.juniper.net/JSA106015 |
| Juniper Networks--Junos OS | An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series: * 23.2 versions from 23.2R2-S2 before 23.2R2-S5, * 23.4 versions from 23.4R2-S1 before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R1-S3, 24.4R2. Earlier versions of Junos are also affected, but no fix is available. | 2026-01-15 | 7.5 | CVE-2026-21917 | https://supportportal.juniper.net/JSA105996 https://kb.juniper.net/JSA105996 |
| Juniper Networks--Junos OS | A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart. This issue affects Junos OS on SRX and MX Series: * all versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2. | 2026-01-15 | 7.5 | CVE-2026-21918 | https://supportportal.juniper.net/JSA106018 https://kb.juniper.net/JSA106018 |
| Juniper Networks--Junos OS | An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1. | 2026-01-15 | 7.5 | CVE-2026-21920 | https://supportportal.juniper.net/JSA106020 https://kb.juniper.net/JSA106020 |
| kalyan02--NanoCMS | NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization. | 2026-01-13 | 8.8 | CVE-2022-50898 | ExploitDB-50997 NanoCMS GitHub Repository NanoCMS Exploit Archive VulnCheck Advisory: NanoCMS 0.4 - Remote Code Execution (RCE) (Authenticated) |
| kraftplugins--Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0. | 2026-01-17 | 7.5 | CVE-2025-14478 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php |
| KYOCERA Document Solutions--Kyocera Command Center RX | Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerability that allows unauthenticated attackers to read sensitive system files by manipulating file paths under the /js/ path. Attackers can exploit the issue by sending requests like /js/../../../../.../etc/passwd%00.jpg (null-byte appended traversal) to access critical files such as /etc/passwd and /etc/shadow. | 2026-01-13 | 7.5 | CVE-2022-50932 | ExploitDB-50738 Kyocera Command Center RX Official Product Page VulnCheck Advisory: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 9.1 | CVE-2026-23722 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 7.2 | CVE-2026-23723 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Laravel--Laravel Valet | Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication. | 2026-01-15 | 8.4 | CVE-2021-47756 | ExploitDB-50591 Laravel Valet Official Documentation VulnCheck Advisory: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS) |
| Leawo--Leawo Prof. Media | Leawo Prof. Media 11.0.0.1 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized payload in the activation keycode field. Attackers can generate a 6000-byte buffer of repeated characters to trigger an application crash when pasted into the registration interface. | 2026-01-15 | 7.5 | CVE-2021-47797 | ExploitDB-50153 Vendor Homepage VulnCheck Advisory: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) |
| lemonldap-ng--LemonLDAP::NG | In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. | 2026-01-16 | 7.2 | CVE-2025-31510 | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341 |
| Lenovo--ThinkPlus FU100 | A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. | 2026-01-14 | 7.8 | CVE-2025-13455 | https://iknow.lenovo.com.cn/detail/436983 |
| Levelprograms--Kmaleon | Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information. | 2026-01-15 | 7.1 | CVE-2021-47766 | ExploitDB-50499 Archived Kmaleon Software Product Page |
| Litexmedia--Audio Conversion Wizard | Audio Conversion Wizard v2.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory with a specially crafted registration code. Attackers can generate a payload that overwrites the application's memory stack, potentially enabling remote code execution through a carefully constructed input buffer. | 2026-01-13 | 9.8 | CVE-2022-50922 | ExploitDB-50811 Audio Wizard Product Webpage VulnCheck Advisory: Audio Conversion Wizard v2.01 - Buffer Overflow |
| Litexmedia--YouTube Video Grabber | YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port. | 2026-01-15 | 8.4 | CVE-2021-47775 | ExploitDB-50471 Product Webpage |
| Macro-Expert--Macro Expert | Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup. | 2026-01-15 | 7.8 | CVE-2021-47780 | ExploitDB-50431 Macro Expert Official Website VulnCheck Advisory: Macro Expert 4.7 - Unquoted Service Path |
| Mailhog--Mailhog | Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation. | 2026-01-13 | 7.2 | CVE-2022-50908 | ExploitDB-50971 MailHog GitHub Repository Shodan Search Results for MailHog VulnCheck Advisory: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS) |
| Malavida--Cain & Abel | Cain & Abel 4.9.56 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2022-50933 | ExploitDB-50728 Official Software Download Page VulnCheck Advisory: Cain & Abel 4.9.56 - Unquoted Service Path |
| MCPJam--inspector | MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch. | 2026-01-16 | 9.8 | CVE-2026-23744 | https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a |
| MegaTKC--Aero CMS | Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system. | 2026-01-13 | 8.2 | CVE-2022-50895 | ExploitDB-51022 Archived AeroCMS GitHub Repository Vulnerability Research Repository VulnCheck Advisory: Aero CMS 0.0.1 - SQL Injection |
| Merit LILIN--DH032 | Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0854 | https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html https://www.twcert.org.tw/en/cp-139-10623-4f523-2.html |
| Merit LILIN--P2 | Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0855 | https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html https://www.twcert.org.tw/en/cp-139-10626-afbe2-2.html |
| metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user. | 2026-01-17 | 9.8 | CVE-2025-15403 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=cve https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/controllers/class_rm_options_controller.php#L562 https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 https://plugins.trac.wordpress.org/changeset/3440797/custom-registration-form-builder-with-submission-manager#file2 |
| Microsoft--Azure Connected Machine Agent | Stack-based buffer overflow in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-21224 | Azure Connected Machine Agent Elevation of Privilege Vulnerability |
| Microsoft--Azure Core shared client library for Python | Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-21226 | Azure Core shared client library for Python Remote Code Execution Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20944 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 7.8 | CVE-2026-20949 | Microsoft Excel Security Feature Bypass Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20956 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20946 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft Power Apps | Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. | 2026-01-16 | 8 | CVE-2026-20960 | Microsoft Power Apps Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20947 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20963 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20948 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20951 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Server 2019 | Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-20943 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| Microsoft--Microsoft SQL Server 2022 (GDR) | Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.2 | CVE-2026-20803 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| Microsoft--Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20950 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20955 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20957 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.1 | CVE-2026-20856 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20868 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network. | 2026-01-13 | 8 | CVE-2026-20931 | Windows Telephony Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20804 | Windows Hello Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20809 | Windows Kernel Memory Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20810 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20814 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Installer allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20816 | Windows Installer Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20826 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20831 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability | 2026-01-13 | 7.8 | CVE-2026-20832 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20836 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20837 | Windows Media Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20840 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20843 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Clipboard Server allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20844 | Windows Clipboard Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20848 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20849 | Windows Kerberos Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20852 | Windows Hello Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows WalletService allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20853 | Windows WalletService Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20858 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20860 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20861 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20864 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20865 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20866 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20867 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20869 | Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20873 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20874 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. | 2026-01-13 | 7.5 | CVE-2026-20875 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20877 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20918 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20919 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20921 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20923 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20924 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20926 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20929 | Windows HTTP.sys Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20934 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 22H2 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20940 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20857 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20938 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft--Windows Admin Center in Azure Portal | Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.5 | CVE-2026-20965 | Windows Admin Center Elevation of Privilege Vulnerability |
| Microsoft--Windows SDK | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-21219 | Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2019 | Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. | 2026-01-13 | 7.5 | CVE-2026-0386 | Windows Deployment Services Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2022 | Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20811 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20817 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20820 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20842 | Microsoft DWM Core Library Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20863 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Desktop Windows Manager allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20871 | Desktop Windows Manager Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20920 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Printer Association Object allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20808 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20815 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20830 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20859 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20870 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20941 | Host Process for Windows Tasks Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-21221 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Millegpg--MilleGPG5 | MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. | 2026-01-15 | 7.8 | CVE-2021-47761 | ExploitDB-50558 Vendor Homepage |
| mindsdb--mindsdb | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB's storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1. | 2026-01-12 | 8.1 | CVE-2025-68472 | https://github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7 |
| MIT--Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. | 2026-01-16 | 7.1 | CVE-2025-24528 | https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0 https://github.com/krb5/krb5/compare/krb5-1.21.3-final...krb5-1.22-final |
| Modular DS--Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1. | 2026-01-14 | 10 | CVE-2026-23550 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/ https://help.modulards.com/en/article/modular-ds-security-release-modular-connector-252-dm3mv0/ |
| Moeditor--Moeditor | Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. | 2026-01-16 | 7.2 | CVE-2021-47840 | ExploitDB-49830 Moeditor Official Homepage Proof of Concept Video VulnCheck Advisory: Moeditor 0.2.0 - Persistent Cross-Site Scripting |
| Mp3-Avi-Mpeg-Wmv-Rm-To-Audio-Cd-Burner--Ether_MP3_CD_Burner | Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation. | 2026-01-15 | 9.8 | CVE-2021-47785 | ExploitDB-50332 Software Download Link VulnCheck Advisory: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH) |
| mrvladus--Errands | Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | 2026-01-12 | 8.2 | CVE-2025-71063 | https://github.com/mrvladus/Errands/issues/401 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738 https://github.com/mrvladus/Errands/releases/tag/46.2.10 https://github.com/mrvladus/Errands/commit/04e567b432083fc798ea2249363ea6c83ff01099 https://github.com/mrvladus/Errands/compare/46.2.9...46.2.10 |
| n/a--EasyCMS | A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1105 | VDB-341697 | EasyCMS UserAction.class.php sql injection VDB-341697 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731465 | https://github.com/TeamEasy/EasyCMS EasyCMS v1.6 SQL injection vulnerability https://github.com/ueh1013/VULN/issues/15 |
| N/A--Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. | 2026-01-16 | 10 | CVE-2026-23800 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve |
| n8n--n8n | Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode. If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact. | 2026-01-18 | 8.5 | CVE-2026-0863 | https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/ https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02 |
| National Oceanic and Atmospheric Administration (NOAA)--Live Access Server (LAS) | Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24. | 2026-01-15 | 9.8 | CVE-2025-62193 | url url url url url url url |
| Noteburner--NoteBurner | NoteBurner 2.35 contains a buffer overflow vulnerability in the license code input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the 'Name' and 'Code' fields to trigger an application crash. | 2026-01-15 | 9.8 | CVE-2021-47798 | ExploitDB-50154 Official Product Homepage VulnCheck Advisory: NoteBurner 2.35 - Denial Of Service (DoS) (PoC) |
| Nsauditor--Backup Key Recovery | Backup Key Recovery 2.2.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a large buffer of 256 repeated characters into the registration key field to trigger application instability and potential crash. | 2026-01-15 | 7.5 | CVE-2021-47813 | ExploitDB-49966 Vendor Homepage VulnCheck Advisory: Backup Key Recovery 2.2.7 - Denial of Service (PoC) |
| Nsauditor--NBMonitor | NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability. | 2026-01-15 | 7.5 | CVE-2021-47814 | ExploitDB-49964 Vendor Homepage VulnCheck Advisory: NBMonitor 1.6.8 - Denial of Service (PoC) |
| Nsauditor--Nsauditor | Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the 'Key' field to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47815 | ExploitDB-49965 Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.3 - Denial of Service (PoC) |
| NVIDIA--NSIGHT Graphics | NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. | 2026-01-14 | 7.8 | CVE-2025-33206 | https://nvd.nist.gov/vuln/detail/CVE-2025-33206 https://www.cve.org/CVERecord?id=CVE-2025-33206 https://nvidia.custhelp.com/app/answers/detail/a_id/5738 |
| Odinesolutions--Odine Solutions GateKeeper | Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information. | 2026-01-15 | 8.2 | CVE-2021-47782 | ExploitDB-50381 Odine Solutions GateKeeper Product Homepage VulnCheck Advisory: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection |
| OpenAgentPlatform--Dive | Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim's machine. This vulnerability is fixed in 0.13.0. | 2026-01-16 | 9.7 | CVE-2026-23523 | https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8 https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2. | 2026-01-13 | 10 | CVE-2025-68271 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp |
| Phoenix Contact--TC ROUTER 3002T-3G | An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection'). | 2026-01-13 | 8.8 | CVE-2025-41717 | https://certvde.com/de/advisories/VDE-2025-073 |
| Phphtmledit--CuteEditor | CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory. | 2026-01-13 | 7.5 | CVE-2021-47751 | ExploitDB-50994 Vendor Homepage VulnCheck Advisory: CuteEditor for PHP 6.6 - Directory Traversal |
| Phpkf--phpKF CMS | phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | 2026-01-15 | 9.8 | CVE-2021-47753 | ExploitDB-50610 Official Vendor Homepage Software Download Page |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-14 | 8.8 | CVE-2026-23492 | https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3 |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 8.6 | CVE-2026-23493 | https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h https://github.com/pimcore/pimcore/pull/18918 https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| Pjo2--Tftpd32_SE | Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions. | 2026-01-13 | 8.4 | CVE-2023-54338 | ExploitDB-51076 Vendor Homepage VulnCheck Advisory: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-16 | 8.8 | CVE-2025-12957 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2e1d91-03bd-4e47-b679-81c42414238b?source=cve https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery |
| Primera--PTPublisher | PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access. | 2026-01-13 | 8.4 | CVE-2022-50915 | ExploitDB-50885 Primera Technology Official Homepage VulnCheck Advisory: PTPublisher 2.3.4 - Unquoted Service Path |
| Private Internet Access--Private Internet Access | Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50924 | ExploitDB-50804 Vendor Homepage Software Download Page VulnCheck Advisory: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path |
| Progress Software--Flowmon ADS | A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | 2026-01-13 | 8.8 | CVE-2025-13774 | https://community.progress.com/s/article/Flowmon-ADS-CVE-2025-13774 |
| Progress Software--LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13444 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Progress Software--LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13447 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Projeqtor--ProjeQtOr Project Management | ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. | 2026-01-15 | 9.8 | CVE-2021-47819 | ExploitDB-49919 ProjeQtOr Official Website |
| ProtonVPN--ProtonVPN | ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50917 | ExploitDB-50837 ProtonVPN Official Website VulnCheck Advisory: ProtonVPN 1.26.0 - Unquoted Service Path |
| Prowise--Prowise Reflect | Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages. | 2026-01-13 | 9.8 | CVE-2022-50925 | ExploitDB-50796 Prowise Official Homepage VulnCheck Advisory: Prowise Reflect v1.0.9 - Remote Keystroke Injection |
| pyasn1--pyasn1 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | 2026-01-16 | 7.5 | CVE-2026-23490 | https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970 https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2 |
| Pysoft--Active WebCam | Active WebCam 11.5 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path by placing malicious executables in specific directory locations to gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47790 | ExploitDB-50273 Software Download Page Vendor Homepage VulnCheck Advisory: Active WebCam 11.5 - Unquoted Service Path |
| Raimersoft--RarmaRadio | RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can generate a 100,000 character buffer and paste it into multiple network settings fields to trigger application instability and potential crash. | 2026-01-16 | 7.5 | CVE-2021-47821 | ExploitDB-49906 Vendor Homepage VulnCheck Advisory: RarmaRadio 2.72.8 - Denial of Service |
| Red Hat--Red Hat OpenShift Dev Spaces (RHOSDS) 3.22 | A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. | 2026-01-13 | 9 | CVE-2025-12548 | RHSA-2025:22620 RHSA-2025:22623 RHSA-2025:22652 https://access.redhat.com/security/cve/CVE-2025-12548 RHBZ#2408850 |
| Redragon--Redragon Gaming Mouse | Redragon Gaming Mouse driver contains a kernel-level vulnerability that allows attackers to trigger a denial of service by sending malformed IOCTL requests. Attackers can send a crafted 2000-byte buffer with specific byte patterns to the REDRAGON_MOUSE device to crash the kernel driver. | 2026-01-15 | 7.5 | CVE-2021-47786 | ExploitDB-50322 Vendor Download Page Vulnerability Research Repository VulnCheck Advisory: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) |
| Remotemouse--Remote Mouse | Remote Mouse 4.002 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47792 | ExploitDB-50258 Official Vendor Homepage VulnCheck Advisory: Remote Mouse 4.002 - Unquoted Service Path |
| Ribccs--Build Smart ERP | Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47777 | ExploitDB-50445 Build Smart ERP Vendor Homepage |
| risesoft-y9--Digital-Infrastructure | A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 7.3 | CVE-2026-1050 | VDB-341603 | risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection VDB-341603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731010 | risesoft-y9 Digital-Infrastructure <=9.6.7 SQL Injection https://github.com/risesoft-y9/Digital-Infrastructure/issues/2 https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959 |
| RocketChat--Rocket.Chat | Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0. | 2026-01-14 | 7.7 | CVE-2026-23477 | https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2. | 2026-01-15 | 7.5 | CVE-2026-22265 | https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47 https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2 |
| Sandboxie--Sandboxie Plus | Sandboxie-Plus 5.50.2 contains an unquoted service path vulnerability in the SbieSvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50920 | ExploitDB-50819 Official Sandboxie-Plus Product Homepage VulnCheck Advisory: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path |
| Sandboxie-Plus--Sandboxie | Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47831 | ExploitDB-49844 Sandboxie Official Homepage VulnCheck Advisory: Sandboxie 5.49.7 - Denial of Service |
| SAP_SE--SAP Application Server for ABAP and SAP NetWeaver RFCSDK | Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.4 | CVE-2026-0507 | https://me.sap.com/notes/3675151 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted. | 2026-01-13 | 8.1 | CVE-2026-0511 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP HANA database | SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.8 | CVE-2026-0492 | https://me.sap.com/notes/3691059 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Landscape Transformation | SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0491 | https://me.sap.com/notes/3697979 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Application Server ABAP and ABAP Platform | Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. | 2026-01-13 | 8.1 | CVE-2026-0506 | https://me.sap.com/notes/3688703 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4HANA (Private Cloud and On-Premise) | SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0498 | https://me.sap.com/notes/3694242 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) | Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. | 2026-01-13 | 9.9 | CVE-2026-0501 | https://me.sap.com/notes/3687749 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Wily Introscope Enterprise Manager (WorkStation) | Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system. | 2026-01-13 | 9.6 | CVE-2026-0500 | https://me.sap.com/notes/3668679 https://url.sap/sapsecuritypatchday |
| shopware--shopware | Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1. | 2026-01-14 | 7.2 | CVE-2026-23498 | https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475 |
| SICK AG--Incoming Goods Suite | A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources. | 2026-01-15 | 8.3 | CVE-2026-0713 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | 2026-01-15 | 8.3 | CVE-2026-22638 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. | 2026-01-15 | 8.3 | CVE-2026-22643 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 | 2026-01-15 | 7.6 | CVE-2026-0712 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--TDC-X401GL | An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. | 2026-01-15 | 9.9 | CVE-2026-22907 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. | 2026-01-15 | 9.1 | CVE-2026-22908 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations. | 2026-01-15 | 7.5 | CVE-2026-22909 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. | 2026-01-15 | 7.5 | CVE-2026-22910 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| Siemens--Industrial Edge Cloud Device (IECD) | Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user. | 2026-01-13 | 10 | CVE-2025-40805 | https://cert-portal.siemens.com/productcert/html/ssa-014678.html https://cert-portal.siemens.com/productcert/html/ssa-001536.html |
| Siemens--SIMATIC ET 200AL IM 157-1 PN | A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation. | 2026-01-13 | 7.5 | CVE-2025-40944 | https://cert-portal.siemens.com/productcert/html/ssa-674753.html |
| Siemens--TeleControl Server Basic | A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. | 2026-01-13 | 8.8 | CVE-2025-40942 | https://cert-portal.siemens.com/productcert/html/ssa-192617.html |
| Skyjos--Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device. | 2026-01-13 | 7.5 | CVE-2022-50890 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 - Path Traversal |
| SLIMS--Senayan Library Management System | Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially extract sensitive information. | 2026-01-13 | 8.2 | CVE-2022-50805 | ExploitDB-51161 Senayan Library Management System Official Website Vulnerability Research Repository VulnCheck Advisory: Senayan Library Management System 9.0.0 - SQL Injection |
| Smartertools--SmarterTools SmarterTrack | SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers. | 2026-01-15 | 7.5 | CVE-2020-36926 | ExploitDB-50328 SmarterTools Official Homepage SmarterTrack Product Page VulnCheck Advisory: SmarterTools SmarterTrack 7922 -Information Disclosure |
| Smartftp--SmartFTP Client | SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface. | 2026-01-15 | 7.5 | CVE-2021-47791 | ExploitDB-50266 SmartFTP Official Homepage SmartFTP Download Page VulnCheck Advisory: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service |
| SMCI--X12STW-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12006 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMCI--X13SEM-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12007 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMEWebify--WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19. | 2026-01-12 | 8.2 | CVE-2026-22788 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23 |
| Softlink Education--Oliver Library Server | Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the 'fileName' parameter to download sensitive files from the server's filesystem. | 2026-01-15 | 9.8 | CVE-2021-47755 | ExploitDB-50599 Oliver Library Server Official Product Homepage |
| Splashtop--Splashtop | Splashtop 8.71.12001.0 contains an unquoted service path vulnerability in the Splashtop Software Updater Service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Splashtop\Splashtop Software Updater\ to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50693 | ExploitDB-51182 Splashtop Official Homepage VulnCheck Advisory: Splashtop 8.71.12001.0 - Unquoted Service Path |
| Splinterware--iDailyDiary | iDailyDiary 4.30 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the preferences tab name field. Attackers can paste a 2,000,000 character buffer into the default diary tab name to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47824 | ExploitDB-49898 Vendor Homepage VulnCheck Advisory: iDailyDiary 4.30 - Denial of Service (PoC) |
| Spy-Emergency--Spy Emergency | Spy Emergency 25.0.650 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted file paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe to inject malicious code during system startup or service restart. | 2026-01-16 | 7.8 | CVE-2021-47845 | ExploitDB-49997 Vendor Homepage VulnCheck Advisory: Spy Emergency 25.0.650 - Unquoted Service Path |
| stellarwp--Membership Plugin Restrict Content | The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership. | 2026-01-16 | 8.2 | CVE-2025-14844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987 https://docs.stripe.com/api/setup_intents/object https://cwe.mitre.org/data/definitions/639.html https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php |
| strongSwan--strongSwan | In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. | 2026-01-16 | 8.1 | CVE-2025-62291 | https://github.com/strongswan/strongswan/releases https://github.com/strongswan/strongswan/commits/master/src/libcharon/plugins/eap_mschapv2 https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html |
| suitenumerique--docs | LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0. | 2026-01-15 | 8.7 | CVE-2026-22867 | https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6 https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77 https://github.com/suitenumerique/docs/releases/tag/v4.4.0 |
| sumatrapdfreader--sumatrapdf | SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution. | 2026-01-14 | 8.6 | CVE-2026-23512 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673 |
| Support--Brother BRPrint Auditor | Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted file paths in BrAuSvc and BRPA_Agent services to inject malicious executables and escalate privileges on the system. | 2026-01-15 | 7.8 | CVE-2020-36929 | ExploitDB-50005 Brother BRPrint Auditor Download Page (NL) Brother BRPrint Auditor Download Page (FR) VulnCheck Advisory: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path |
| sveltejs--devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22774 | https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| sveltejs--devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22775 | https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| Sylkat-Tools--AWebServer GhostBuilding | AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive. | 2026-01-15 | 7.5 | CVE-2021-47752 | ExploitDB-50629 Vendor Homepage Software Download Link |
| Syncbreeze--Sync Breeze | Sync Breeze 13.6.18 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries located in 'Program Files' directories to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47807 | ExploitDB-50023 Vendor Homepage VulnCheck Advisory: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path |
| Sysax--Sysax Multi Server | Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and disrupt server functionality. | 2026-01-13 | 7.5 | CVE-2023-54337 | ExploitDB-51066 Vendor Homepage VulnCheck Advisory: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) |
| Sysgauge--SysGauge | SysGauge Server 7.9.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\SysGauge Server\bin\sysgaus.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36930 | ExploitDB-50009 Vendor Homepage VulnCheck Advisory: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path |
| Tagstoo--Tagstoo | Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer. | 2026-01-15 | 7.2 | CVE-2021-47843 | ExploitDB-49828 Tagstoo Official Homepage Proof of Concept Video |
| Tdarr--Tdarr | Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication. | 2026-01-13 | 9.8 | CVE-2022-50919 | ExploitDB-50822 Official Vendor Homepage VulnCheck Advisory: Tdarr 2.00.15 - Command Injection |
| TeamSpeak--TeamSpeak | TeamSpeak 3.5.6 contains an insecure file permissions vulnerability that allows local attackers to replace executable files with malicious binaries. Attackers can replace system executables like ts3client_win32.exe with custom files to potentially gain SYSTEM or Administrator-level access. | 2026-01-13 | 8.4 | CVE-2022-50931 | ExploitDB-50743 TeamSpeak Official Vendor Homepage TeamSpeak Downloads Page VulnCheck Advisory: TeamSpeak 3.5.6 - Insecure File Permissions |
| Telcel--FLAME II MODEM USB | Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Internet Telcel\ApplicationController.exe' to execute arbitrary code with elevated system privileges. | 2026-01-13 | 9.8 | CVE-2022-50935 | ExploitDB-50708 Archived Telcel Flame II MODEM USB Product Page VulnCheck Advisory: FLAME II MODEM USB - Unquoted Service Path |
| Telegram--Telegram Desktop | Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47793 | ExploitDB-50247 Official Telegram Homepage VulnCheck Advisory: Telegram Desktop 2.9.2 - Denial of Service (PoC) |
| Tenable--Nessus Agent | A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. | 2026-01-13 | 8.8 | CVE-2025-36640 | https://www.tenable.com/security/tns-2026-01 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0. | 2026-01-12 | 8 | CVE-2026-22804 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35 |
| Testlink--TestLink | TestLink versions 1.16 through 1.19 contain an unauthenticated file download vulnerability in the attachmentdownload.php endpoint. Attackers can download arbitrary files by iterating file IDs through the 'id' parameter with 'skipCheck=1' to bypass access controls. | 2026-01-15 | 9.8 | CVE-2021-47760 | ExploitDB-50578 Official TestLink Product Homepage Archived Researcher Blog |
| The Browser Company of New York--Dia | Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | 2026-01-16 | 7.4 | CVE-2025-15032 | https://www.diabrowser.com/security/bulletins#CVE-2025-15032 |
| Thecus--Thecus N4800Eco Nas Server Control Panel | Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with administrative privileges. | 2026-01-16 | 8.8 | CVE-2021-47816 | ExploitDB-49926 Thecus Official Vendor Homepage Thecus N4800Eco Product Page Researcher Blog VulnCheck Advisory: Thecus N4800Eco Nas Server Control Panel - Command Injection |
| Totalav--TotalAV | TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration. | 2026-01-15 | 7.8 | CVE-2021-47787 | ExploitDB-50314 TotalAV Official Homepage VulnCheck Advisory: TotalAV 5.15.69 - Unquoted Service Path |
| tridenttechnolabs--Shipping Rate By Cities | The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-14770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/11e7e798-9fb9-4cff-a96f-a0003f203f5f?source=cve https://plugins.trac.wordpress.org/browser/shipping-rate-by-cities/trunk/shiprate-cities-method-class.php#L372 |
| Umbraco--Forms | In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution. | 2026-01-16 | 7.5 | CVE-2025-68924 | https://our.umbraco.com/packages/developer-tools/umbraco-forms/ https://github.com/advisories/GHSA-vrgw-pc9c-qrrc https://www.nuget.org/packages/UmbracoForms |
| vaghasia3--News and Blog Designer Bundle | The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-01-14 | 9.8 | CVE-2025-14502 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e02683dc-0771-4bd5-bba3-2b5423da1c80?source=cve https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 |
| vesparny--Marky | Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47839 | ExploitDB-49831 Marky GitHub Repository Proof of Concept Video VulnCheck Advisory: Marky 0.0.1 - Persistent Cross-Site Scripting |
| Vianeos--Vianeos OctoPUS | Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database sleep functions to extract information. | 2026-01-15 | 8.2 | CVE-2021-47801 | ExploitDB-50078 Vendor Homepage Software Product Page VulnCheck Advisory: Vianeos OctoPUS 5 - 'login_user' SQLi |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. | 2026-01-13 | 9.8 | CVE-2022-50893 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - Code Execution via Image Upload |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database information. | 2026-01-13 | 9.8 | CVE-2022-50894 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface. | 2026-01-13 | 8.2 | CVE-2022-50892 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - SQL Injection via Login Page |
| VIVE--VIVE Runtime Service | VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup. | 2026-01-13 | 8.4 | CVE-2022-50918 | ExploitDB-50824 Official VIVE Homepage VIVE Developer Downloads VulnCheck Advisory: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path |
| Wago--WAGO 750-8212 PFC200 | WAGO 750-8212 PFC200 G2 2ETH RS firmware contains a privilege escalation vulnerability that allows attackers to manipulate user session cookies. Attackers can modify the cookie's 'name' and 'roles' parameters to elevate from ordinary user to administrative privileges without authentication. | 2026-01-13 | 9.8 | CVE-2022-50926 | ExploitDB-50793 Official Vendor Homepage VulnCheck Advisory: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation |
| Wbce--WBCE CMS | WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload. | 2026-01-13 | 8.8 | CVE-2022-50936 | ExploitDB-50707 WBCE CMS Official Website WBCE CMS Downloads Page WBCE CMS GitHub Repository VulnCheck Advisory: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated) |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2. | 2026-01-16 | 8.1 | CVE-2026-23535 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg https://github.com/WeblateOrg/wlc/pull/1128 https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f https://github.com/WeblateOrg/wlc/releases/tag/1.17.2 |
| Websitebaker--WebsiteBaker | WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server. | 2026-01-15 | 8.8 | CVE-2021-47788 | ExploitDB-50310 WebsiteBaker Official Homepage VulnCheck Advisory: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated) |
| WebSSH--WebSSH for iOS | WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash. | 2026-01-16 | 7.5 | CVE-2021-47827 | ExploitDB-49883 WebSSH iOS App Store Page VulnCheck Advisory: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service |
| Weird-Solutions--BOOTP Turbo | BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot. | 2026-01-16 | 7.8 | CVE-2021-47828 | ExploitDB-49851 Vendor Homepage VulnCheck Advisory: BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path |
| Weird-Solutions--DHCP Broadband | DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files\DHCP Broadband 4\dhcpt.exe' to inject malicious code that will execute during service startup with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47829 | ExploitDB-49850 Vendor Homepage VulnCheck Advisory: DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path |
| Wibu--WibuKey Runtime | WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47810 | ExploitDB-49999 Vendor Homepage Software Download Page VulnCheck Advisory: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path |
| Wisecleaner--Wise Care | Wise Care 365 5.6.7.568 contains an unquoted service path vulnerability in the WiseBootAssistant service running with LocalSystem privileges. Attackers can exploit this by inserting a malicious executable in the service path, which will execute with elevated system privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47804 | ExploitDB-50038 Official Vendor Homepage VulnCheck Advisory: Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path |
| Wondershare--Wondershare Dr.Fone | Wondershare Dr.Fone 12.0.18 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path to insert malicious code that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50900 | ExploitDB-50813 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path |
| Wondershare--Wondershare Dr.Fone | Wondershare Dr.Fone 11.4.9 contains an unquoted service path vulnerability in the DFWSIDService that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\ to inject malicious executables that would run with LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50901 | ExploitDB-50755 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path |
| Wondershare--Wondershare FamiSafe | Wondershare FamiSafe 1.0 contains an unquoted service path vulnerability in the FSService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\FamiSafe\ to inject malicious code that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50902 | ExploitDB-50757 Vendor Homepage VulnCheck Advisory: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path |
| Wondershare--Wondershare MobileTrans | Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50903 | ExploitDB-50756 Vendor Homepage VulnCheck Advisory: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path |
| Wondershare--Wondershare UBackit | Wondershare UBackit 2.0.5 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the wsbackup service to inject malicious executables that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50904 | ExploitDB-50758 Vendor Homepage VulnCheck Advisory: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path |
| woosaai--Integration Opvius AI for WooCommerce | The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files. | 2026-01-14 | 9.8 | CVE-2025-14301 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160 |
| Wordpress--Social-Share-Buttons | Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents. | 2026-01-13 | 8.2 | CVE-2023-54333 | ExploitDB-51116 WP Plugin Webpage Vulnerability Research Repository VulnCheck Advisory: Social-Share-Buttons 2.2.3 - SQL Injection via project_id Parameter |
| WorkOrder--WorkOrder CMS | WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands. | 2026-01-13 | 8.2 | CVE-2023-54340 | ExploitDB-51038 WorkOrder CMS GitHub Repository VulnCheck Advisory: WorkOrder CMS 0.1.0 - SQL Injection |
| Yenkee--Yenkee Hornet Gaming Mouse | Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulnerability that allows attackers to crash the system by sending oversized input. Attackers can exploit the driver by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash. | 2026-01-15 | 7.5 | CVE-2021-47789 | ExploitDB-50311 Yenkee Vendor Webpage Quadron Research Lab Kernel Driver Bugs Repository VulnCheck Advisory: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) |
| Yonyou--KSOA | A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1120 | VDB-341712 | Yonyou KSOA HTTP GET Parameter del_work.jsp sql injection VDB-341712 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734535 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/6 |
| Yonyou--KSOA | A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1121 | VDB-341713 | Yonyou KSOA HTTP GET Parameter del_workplan.jsp sql injection VDB-341713 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734548 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/7 |
| Yonyou--KSOA | A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1122 | VDB-341714 | Yonyou KSOA HTTP GET Parameter work_info.jsp sql injection VDB-341714 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734549 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/8 |
| Yonyou--KSOA | A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1123 | VDB-341715 | Yonyou KSOA HTTP GET Parameter work_mod.jsp sql injection VDB-341715 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734550 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/9 |
| Yonyou--KSOA | A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1124 | VDB-341716 | Yonyou KSOA HTTP GET Parameter work_report.jsp sql injection VDB-341716 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734551 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/10 |
| zalando--skipper | Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0. | 2026-01-16 | 8.8 | CVE-2026-23742 | https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714 https://github.com/zalando/skipper/releases/tag/v0.23.0 |
| Zeslecp--ZesleCP | ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host. | 2026-01-15 | 8.8 | CVE-2021-47794 | ExploitDB-50233 ZesleCP Official Website Exploit Demonstration Video VulnCheck Advisory: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated) |
| Zohocorp--ManageEngine ADSelfService Plus | Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. | 2026-01-13 | 9.1 | CVE-2025-11250 | https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html |
| Zohocorp--ManageEngine PAM360 | Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. | 2026-01-13 | 8.1 | CVE-2025-11669 | https://www.manageengine.com/privileged-access-management/advisory/cve-2025-11669.html |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1Panel-dev--1Panel | 1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user's browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17. | 2026-01-18 | 6.4 | CVE-2026-23525 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42 |
| A-Plus Video Technologies--AP-RM864P | Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information. | 2026-01-12 | 5.3 | CVE-2026-0853 | https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html https://www.twcert.org.tw/en/cp-139-10621-55584-2.html |
| aankit--SpiceForms Form Builder | The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 6.4 | CVE-2025-12178 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9a19e96-2ca4-4072-aa2e-ab01f1685911?source=cve https://plugins.trac.wordpress.org/browser/spiceforms-form-builder/tags/1.0/spiceform.php#L135 |
| abage--Sosh Share Buttons | The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38b8b563-10a4-4343-b95a-7d09cf6fd729?source=cve https://plugins.trac.wordpress.org/browser/sosh-share-buttons/tags/1.1.0/sosh.class.php#L138 |
| Adobe--Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21288 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21278 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21308 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21300 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21301 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21302 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21303 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| adoncreatives--Testimonials Creator | The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3af18a17-81a0-4720-b222-153ab4ddf7d9?source=cve https://wordpress.org/plugins/testimonials-creator/ |
| akinloluwami--outray | Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5. | 2026-01-14 | 5.9 | CVE-2026-22819 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6 |
| aliasvault--aliasvault | AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3. | 2026-01-14 | 6.1 | CVE-2026-22694 | https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q https://github.com/aliasvault/aliasvault/issues/1440 https://github.com/aliasvault/aliasvault/pull/1441 https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d https://github.com/aliasvault/aliasvault/releases/tag/0.25.3 |
| Altium--Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim's browser context. | 2026-01-15 | 6.1 | CVE-2026-1011 | https://www.altium.com/platform/security-compliance/security-advisories |
| AmauriC--tarteaucitron.js | tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0. | 2026-01-13 | 4.4 | CVE-2026-22809 | https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52 |
| aplazopayment--Aplazo Payment Gateway | The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status. | 2026-01-14 | 5.3 | CVE-2025-15512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206 |
| Arunna--Arunna | Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. | 2026-01-15 | 5.3 | CVE-2021-47754 | ExploitDB-50608 Archived Researcher Blog Arunna GitHub Repository |
| Automattic--Jetpack | Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page. | 2026-01-13 | 6.1 | CVE-2023-54332 | ExploitDB-51104 Jetpack WordPress Plugin Homepage VulnCheck Advisory: Jetpack 11.4 - Cross Site Scripting (XSS) |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | 2026-01-12 | 6.5 | CVE-2025-68468 | https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52 https://github.com/avahi/avahi/issues/683 https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | 2026-01-12 | 6.5 | CVE-2025-68471 | https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg https://github.com/avahi/avahi/issues/678 https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1 |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | 2026-01-12 | 5.5 | CVE-2025-68276 | https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc https://github.com/avahi/avahi/pull/806 https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688 |
| Awesome Motive--YouTube Feed Pro | The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube. | 2026-01-17 | 5.9 | CVE-2025-12002 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60d?source=cve https://smashballoon.com/youtube-feed/ https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1047 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1038 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L25 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L339 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L383 |
| awesomesupport--Awesome Support WordPress HelpDesk & Support Plugin | The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce. | 2026-01-16 | 6.5 | CVE-2025-12641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183 https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1 |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue. | 2026-01-18 | 5.3 | CVE-2026-23829 | https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534 https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B2Evolution--b2evolution | b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage. | 2026-01-15 | 5.3 | CVE-2021-47800 | ExploitDB-50081 Official Vendor Homepage Software Download Page B2Evolution GitHub Repository VulnCheck Advisory: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) |
| bastillion-io--Bastillion | A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1063 | VDB-341631 | bastillion-io Bastillion Public Key Management System AuthKeysKtrl.java command injection VDB-341631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731303 | bastillion-io Bastillion <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report1.md |
| bastillion-io--Bastillion | A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1064 | VDB-341632 | bastillion-io Bastillion System Management SystemKtrl.java command injection VDB-341632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731308 | bastillion-io Bastillion SSH Key Manager <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report2.md |
| bdthemes--Spin Wheel Interactive spinning wheel that offers coupons | The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes. | 2026-01-17 | 5.3 | CVE-2026-0808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail= |
| BlackBerry Ltd--QNX Software Development Platform | Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel. | 2026-01-13 | 6.2 | CVE-2025-8090 | https://support.blackberry.com/pkb/s/article/141027 |
| bplugins--Team Section Block Showcase Team Members with Layout Options | The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2026-0833 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3 https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail= |
| brechtvds--WP Recipe Maker | The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to. | 2026-01-16 | 4.3 | CVE-2025-15527 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96f77fdc-4e91-43c0-8bc6-7bb202945c7d?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L48 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L86 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L172 https://plugins.trac.wordpress.org/changeset/3415263/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php?contextall=1&old=3402554&old_path=%2Fwp-recipe-maker%2Ftrunk%2Fincludes%2Fpublic%2Fapi%2Fclass-wprm-api-utilities.php |
| BYVoid--OpenCC | A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch. | 2026-01-18 | 5.3 | CVE-2025-15536 | VDB-341708 | BYVoid OpenCC MaxMatchSegmentation.cpp MaxMatchSegmentation heap-based overflow VDB-341708 | CTI Indicators (IOB, IOC, IOA) Submit #733347 | BYVoid OpenCC ver.1.1.9 and master-branch Heap-based Buffer Overflow https://github.com/BYVoid/OpenCC/issues/997 https://github.com/BYVoid/OpenCC/pull/1005 https://github.com/oneafter/1222/blob/main/repro https://github.com/BYVoid/OpenCC/commit/345c9a50ab07018f1b4439776bad78a0d40778ec |
| cakephp--cakephp | CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1. | 2026-01-16 | 5.4 | CVE-2026-23643 | https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5 https://github.com/cakephp/cakephp/issues/19172 https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f https://bakery.cakephp.org/2026/01/14/cakephp_5212.html https://github.com/cakephp/cakephp/releases/tag/5.2.12 https://github.com/cakephp/cakephp/releases/tag/5.3.1 |
| cbutlerjr--WP-Members Membership Plugin | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-15 | 5.4 | CVE-2025-14448 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89d1fa00-4757-4f86-bddb-a6a2dbcf9625?source=cve https://plugins.trac.wordpress.org/changeset/3418471/wp-members |
| Celestialsoftware--AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and force unexpected termination. | 2026-01-15 | 6.2 | CVE-2021-47764 | ExploitDB-50511 Vendor Homepage |
| Celestialsoftware--AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive. | 2026-01-15 | 6.2 | CVE-2021-47765 | ExploitDB-50510 Vendor Homepage |
| Chamilo--LMS | A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1106 | VDB-341698 | Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization VDB-341698 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731510 | Chamilo LMS <= v2.0.0 Beta 1 SocialController IDOR - Legal Consent Data Manipulat https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj |
| cijliu--librtsp | A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1108 | VDB-341700 | cijliu librtsp rtsp_rely_dumps buffer overflow VDB-341700 | CTI Indicators (IOB, IOC, IOA) Submit #732598 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_rely_dumps/librtsp_rtsp_rely_dumps.md |
| cijliu--librtsp | A vulnerability was detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The impacted element is the function rtsp_parse_request. The manipulation results in buffer overflow. Attacking locally is a requirement. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1109 | VDB-341701 | cijliu librtsp rtsp_parse_request buffer overflow VDB-341701 | CTI Indicators (IOB, IOC, IOA) Submit #732599 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_request/librtsp_rtsp_parse_request.md |
| cijliu--librtsp | A flaw has been found in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. This affects the function rtsp_parse_method. This manipulation causes buffer overflow. It is possible to launch the attack on the local host. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1110 | VDB-341702 | cijliu librtsp rtsp_parse_method buffer overflow VDB-341702 | CTI Indicators (IOB, IOC, IOA) Submit #732603 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_method/librtsp_rtsp_parse_method.md |
| Cinspiration--RDP Manager | RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation. | 2026-01-15 | 6.2 | CVE-2021-47771 | ExploitDB-50484 Archived Software Download Page Vulnerability-Lab Disclosure |
| Cisco--Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20075 | cisco-sa-epnm-pi-stored-xss-GEkX8yWK |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20047 | cisco-sa-ise-xss-964cdxW5 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20076 | cisco-sa-ise-xss-9TDh2kx |
| codepeople--CP Image Store with Slideshow | The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server. | 2026-01-13 | 4.3 | CVE-2026-0684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826 https://plugins.trac.wordpress.org/changeset/3434716/ |
| ConnectWise--PSA | In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values. | 2026-01-16 | 6.5 | CVE-2026-0696 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| creativemindssolutions--CM E-Mail Blacklist Simple email filtering for safer registration | The CM E-Mail Blacklist - Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-17 | 4.4 | CVE-2026-0691 | https://www.wordfence.com/threat-intel/vulnerabilities/id/821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=cve https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/browser/cm-email-blacklist/tags/1.6.2/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440158%40cm-email-blacklist&new=3440158%40cm-email-blacklist&sfp_email=&sfph_mail= |
| crushpics--Crush.pics Image Optimizer Image Compression and Optimization | The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings. | 2026-01-14 | 4.3 | CVE-2025-14482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38?source=cve https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L66 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L193 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L30 |
| cubewp1211--CubeWP Framework | The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2025-8615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efc2baf0-38d9-44be-b439-3585b2f1d4a5?source=cve https://wordpress.org/plugins/cubewp-framework/#developers https://plugins.trac.wordpress.org/changeset/3362001#file10 |
| cubewp1211--CubeWP Framework | The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-17 | 5.3 | CVE-2025-12129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2006dc4c-ec1a-45ab-94a3-1f86d80e70ca?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/classes/class-cubewp-rest-api.php |
| cyberlord92--Integrate Dynamics 365 CRM | The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 4.4 | CVE-2026-0725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6b16028a-0b69-422b-9471-32ea6edb93a0?source=cve https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.1.1/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/changeset/3438502/ |
| Dell--SupportAssist OS Recovery, | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering. | 2026-01-13 | 6.6 | CVE-2025-46684 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| dfieldfl--WP Allowed Hosts | The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/700e9d1c-a178-4033-8607-652178860211?source=cve https://plugins.trac.wordpress.org/browser/wp-allow-hosts/trunk/allowed-hosts.php#L170 https://plugins.trac.wordpress.org/browser/wp-allow-hosts/tags/1.0.8/allowed-hosts.php#L170 |
| e107--e107 CMS | e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed. | 2026-01-13 | 4.8 | CVE-2022-50906 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS |
| Elastic--Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs. | 2026-01-13 | 6.5 | CVE-2026-0530 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521 |
| Elastic--Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users. | 2026-01-13 | 6.5 | CVE-2026-0531 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522 |
| Elastic--Kibana | Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. | 2026-01-13 | 6.5 | CVE-2026-0543 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523 |
| Elastic--Metricbeat | Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data. | 2026-01-13 | 6.5 | CVE-2026-0528 | https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519 |
| Elastic--Packetbeat | Improper Validation of Array Index (CWE-129) in Packetbeat's MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled. | 2026-01-14 | 6.5 | CVE-2026-0529 | https://discuss.elastic.co/t/packetbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-02/384520 |
| electric-studio--Electric Studio Download Counter | The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a22bba3e-423a-4231-833b-c0be57a3bf7b?source=cve https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L202 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L202 |
| EnterpriseDB--Postgres Enterprise Manager (PEM) | PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. | 2026-01-16 | 6.5 | CVE-2026-0949 | https://www.enterprisedb.com/docs/security/advisories/cve20260949/ |
| espressif--esp-usb | Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0. | 2026-01-12 | 6.8 | CVE-2025-68622 | https://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827 https://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0 https://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelog |
| espressif--esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.8 | CVE-2025-68656 | https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7 https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660 https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| espressif--esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.4 | CVE-2025-68657 | https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| floattechnologies--Float Payment Gateway | The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed. | 2026-01-14 | 5.3 | CVE-2025-15513 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477 |
| Fortinet--FortiClientEMS | An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | 2026-01-13 | 6.8 | CVE-2025-59922 | https://fortiguard.fortinet.com/psirt/FG-IR-25-735 |
| Fortinet--FortiVoice | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. | 2026-01-13 | 5.7 | CVE-2025-58693 | https://fortiguard.fortinet.com/psirt/FG-IR-25-778 |
| GeoNetwork--GeoNetwork | Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests. | 2026-01-13 | 6.5 | CVE-2022-50899 | ExploitDB-50982 GeoNetwork Official Homepage VulnCheck Advisory: Geonetwork 4.2.0 - XML External Entity (XXE) |
| Geovision--GeoVision Geowebserver | GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access system files and execute malicious scripts. | 2026-01-15 | 6.2 | CVE-2021-47795 | ExploitDB-50211 GeoVision Cyber Security Page VulnCheck Advisory: GeoVision Geowebserver 5.3.3 - Local FIle Inclusion |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | 2026-01-16 | 5.3 | CVE-2026-1020 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| gothamdev--Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-14 | 6.5 | CVE-2025-15020 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56 |
| gothamdev--Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-15021 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c36899-3c7b-41b6-a38d-86c8834b4c03?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/gothamblock.php?marks=463,470,495,500,504,519,564,578#L463 |
| guillaumev--LinkedIn SC | The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0812 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1c4fd888-aeaf-4451-a151-8f884bc22f0b?source=cve https://plugins.trac.wordpress.org/browser/linkedin-sc/tags/1.1.9/linkedin-sc.php#L164 https://plugins.trac.wordpress.org/browser/linkedin-sc/trunk/linkedin-sc.php#L164 |
| gurayyarar--SnipCommand | SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. | 2026-01-16 | 6.1 | CVE-2021-47841 | ExploitDB-49829 SnipCommand GitHub Repository Proof of Concept Video VulnCheck Advisory: SnipCommand 0.1.0 - Persistent Cross-Site Scripting |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism. | 2026-01-13 | 6.5 | CVE-2025-37176 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | 2026-01-13 | 6.5 | CVE-2025-37177 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37178 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37179 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system. | 2026-01-14 | 6.5 | CVE-2025-37184 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. | 2026-01-14 | 5.5 | CVE-2025-37185 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Huawei--HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.2 | CVE-2025-68959 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.2 | CVE-2025-68964 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.8 | CVE-2025-68969 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.1 | CVE-2025-68970 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68961 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68962 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68963 | https://consumer.huawei.com/en/support/bulletin/2026/1// |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.1 | CVE-2025-68966 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68967 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 4.7 | CVE-2025-68965 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Istio--Istio | Istio through 1.28.2 allows iptables rule injection for changing firewall behavior via the traffic.sidecar.istio.io/excludeInterfaces annotation. NOTE: the reporter's position is "this doesn't represent a security vulnerability (pod creators can already exclude sidecar injection entirely)." | 2026-01-15 | 4.1 | CVE-2026-23766 | https://github.com/istio/istio/issues/58781 https://github.com/istio/istio/pull/58785 |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-18 | 6.3 | CVE-2026-1118 | VDB-341710 | itsourcecode Society Management System add_activity.php sql injection VDB-341710 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734289 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/2 https://itsourcecode.com/ |
| jackdewey--Community Events | The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter. | 2026-01-17 | 5.3 | CVE-2025-14029 | https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail= |
| jersou--Markdown Explorer | Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. | 2026-01-16 | 6.1 | CVE-2021-47836 | ExploitDB-49826 Markdown Explorer GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting |
| jokkedk--Webgrind | Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. | 2026-01-13 | 6.1 | CVE-2023-54341 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) via file Parameter |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service (DoS). When an ICMP packet is received with a specifically malformed IP header value, the FPC receiving the packet crashes and restarts. Due to the specific type of malformed packet, adjacent upstream routers would not forward the packet, limiting the attack surface to adjacent networks. This issue only affects ICMPv4. ICMPv6 is not vulnerable to this issue. This issue affects Junos OS: * all versions before 21.2R3-S9, * from 21.4 before 21.4R3-S10, * from 22.2 before 22.2R3-S7, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2. | 2026-01-15 | 6.5 | CVE-2026-0203 | https://supportportal.juniper.net/JSA104294 https://kb.juniper.net/JSA104294 |
| Juniper Networks--Junos OS | A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS). Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart. The issue was not seen when YANG packages for the specific sensors were installed. This issue affects Junos OS: * all versions before 22.4R3-S7, * 23.2 version before 23.2R2-S4, * 23.4 versions before 23.4R2. | 2026-01-15 | 6.5 | CVE-2026-21903 | https://supportportal.juniper.net/JSA106022 https://kb.juniper.net/JSA106022 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the 'show task memory detail' command. For example: user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229 user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307 This issue affects: Junos OS: * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S2, 23.4R2, * from 24.1 before 24.1R2; Junos OS Evolved: * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO. | 2026-01-15 | 6.5 | CVE-2026-21909 | https://supportportal.juniper.net/JSA106008 https://kb.juniper.net/JSA106008 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms allows an unauthenticated network-adjacent attacker flapping an interface to cause traffic between VXLAN Network Identifiers (VNIs) to drop, leading to a Denial of Service (DoS). On all EX4k and QFX5k platforms, a link flap in an EVPN-VXLAN configuration Link Aggregation Group (LAG) results in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination. This issue is only applicable to systems that support EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), such as the QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650. Service can only be restored by restarting the affected FPC via the 'request chassis fpc restart slot <slot-number>' command. This issue affects Junos OS on EX4k and QFX5k Series: * all versions before 21.4R3-S12, * all versions of 22.2 * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2. | 2026-01-15 | 6.5 | CVE-2026-21910 | https://supportportal.juniper.net/JSA106009 https://kb.juniper.net/JSA106009 |
| Juniper Networks--Junos OS | A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21921 | https://supportportal.juniper.net/JSA106021 https://kb.juniper.net/JSA106021 |
| Juniper Networks--Junos OS | An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS). When the command 'show route < ( receive-protocol | advertising-protocol ) bgp > detail' is executed, and at least one of the routes in the intended output has specific attributes, this will cause an rpd crash and restart. 'show route ... extensive' is not affected. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59959 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103148 |
| Juniper Networks--Junos OS | An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource. This vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay. This issue affects: Junos OS: * all versions before 21.2R3-S10, * all versions of 22.2, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59961 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103150 |
| Juniper Networks--Junos OS | A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS). When a user executes the 'show chassis' command with specifically crafted options, chassisd will crash and restart. Due to this all components but the Routing Engine (RE) in the chassis are reinitialized, which leads to a complete service outage, which the system automatically recovers from. This issue affects: Junos OS on MX, SRX and EX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2. | 2026-01-15 | 5.5 | CVE-2025-60007 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103173 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices. When an affected device receives a specific optional, transitive BGP attribute over an existing BGP session, it will be erroneously modified before propagation to peers. When the attribute is detected as malformed by the peers, these peers will most likely terminate the BGP sessions with the affected devices and thereby cause an availability impact due to the resulting routing churn. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5 * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.8 | CVE-2025-60011 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103161 |
| Juniper Networks--Junos OS | A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the method to collect FPC Ethernet firmware statistics of Juniper Networks Junos OS on MX10k Series allows a local, low-privileged attacker executing the 'show system firmware' CLI command to cause an LC480 or LC2101 line card to reset. On MX10k Series systems with LC480 or LC2101 line cards, repeated execution of the 'show system firmware' CLI command can cause the line card to crash and restart. Additionally, some time after the line card crashes, chassisd may also crash and restart, generating a core dump.This issue affects Junos OS on MX10k Series: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S9, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S6, * from 23.2 before 23.2R2-S2, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R2. | 2026-01-15 | 5.5 | CVE-2026-21912 | https://supportportal.juniper.net/JSA106011 https://kb.juniper.net/JSA106011 |
| Juniper Networks--Junos OS Evolved | An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage. When the issue is seen, the following log message will be generated: op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP, This issue affects Junos OS Evolved: * all versions before 21.4R3-S7-EVO, * from 22.2 before 22.2R3-S4-EVO, * from 22.3 before 22.3R3-S3-EVO, * from 22.4 before 22.4R3-S2-EVO, * from 23.2 before 23.2R2-S1-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21911 | https://supportportal.juniper.net/JSA106010 https://kb.juniper.net/JSA106010 |
| Juniper Networks--Junos Space | A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5. | 2026-01-15 | 5.9 | CVE-2026-21907 | https://supportportal.juniper.net/JSA106006 https://kb.juniper.net/JSA106006 |
| Juniper Networks--Paragon Automation (Pathfinder, Planner, Insights) | A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control. This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1. | 2026-01-15 | 6.1 | CVE-2025-52987 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103145 |
| kalcaddle--kodbox | A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 6.3 | CVE-2026-1066 | VDB-341665 | kalcaddle kodbox Compression zip command injection VDB-341665 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731436 | kalcaddle kodbox <=1.61.10 Command Injection https://github.com/DReazer/CV3/blob/main/Krce.md |
| keesiemeijer--Related Posts by Taxonomy | The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0916 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0582fe7d-884c-4019-837a-861d36ccc842?source=cve https://plugins.trac.wordpress.org/browser/related-posts-by-taxonomy/tags/2.7.6/includes/functions.php#L259 |
| kimai--kimai | Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue. | 2026-01-18 | 6.8 | CVE-2026-23626 | https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg https://github.com/kimai/kimai/pull/5757 https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f https://github.com/kimai/kimai/releases/tag/2.46.0 |
| kiwicommerce--PDF Resume Parser | The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials. | 2026-01-14 | 5.3 | CVE-2025-14464 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a84bcc2-23e0-4624-89a4-7bbb1b34c498?source=cve https://plugins.trac.wordpress.org/browser/pdf-resume-parser/trunk/pdf-resume-parser.php#L309 https://plugins.trac.wordpress.org/browser/pdf-resume-parser/tags/1.0/pdf-resume-parser.php#L309 |
| kunzemarketing--Kunze Law | The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Additional presence of a path traversal vulnerability in the shortcode name allows writing malicious HTML files to arbitrary writable locations on the server. | 2026-01-14 | 4.4 | CVE-2025-15486 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7957619-e562-4043-920d-275c58684328?source=cve https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L406 https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L531 |
| Laborator--Kalium 3 | Creative WordPress & WooCommerce Theme | The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf. | 2026-01-15 | 5.3 | CVE-2025-12895 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e65a794-1901-4e54-be4f-9422fe444057?source=cve https://themeforest.net/item/kalium-creative-theme-for-professionals/10860525 https://documentation.laborator.co/kb/kalium/kalium-changelog/ |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the "Atendido" selection dropdown. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23724 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23731 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-99qp-hjvh-c59q https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Lenovo--ThinkPad L13 Gen 6 BIOS | A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as "On" in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode. | 2026-01-14 | 6.5 | CVE-2026-0421 | https://support.lenovo.com/us/en/product_security/LEN-210688 |
| Lenovo--ThinkPlus FU100 | A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. | 2026-01-14 | 6.8 | CVE-2025-13453 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo--ThinkPlus FU100 | A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. | 2026-01-14 | 4.7 | CVE-2025-13454 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo--Vantage | An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges. | 2026-01-14 | 5.5 | CVE-2025-13154 | https://support.lenovo.com/us/en/product_security/LEN-208293 |
| linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed. | 2026-01-16 | 5.3 | CVE-2026-0939 | https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710 |
| linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce - Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. | 2026-01-16 | 5.3 | CVE-2026-0942 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4927c060-f2b2-4916-b049-1442bba63e98?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L42 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L58 |
| lobehub--lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue. | 2026-01-18 | 6.4 | CVE-2026-23733 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443 |
| logiceverest--Shipping Rates by City for WooCommerce | The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 4.9 | CVE-2026-0678 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ada476b-6978-4c38-a5d3-67266a709a3e?source=cve https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/trunk/shipping-method-class.php#L154 https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/tags/1.0.3/shipping-method-class.php#L154 |
| lottiefile--LottieFiles Lottie block for Gutenberg | The LottieFiles - Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner's LottieFiles.com account credentials including their API access token and email address when the 'Share LottieFiles account with other WordPress users' option is enabled. | 2026-01-14 | 5.3 | CVE-2026-0717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19b159ca-4b41-48b4-880d-9b9dc44b3463?source=cve https://plugins.trac.wordpress.org/browser/lottiefiles/tags/3.0.0/src/common.php?marks=21,122#L21 |
| lwj--flow | A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 6.3 | CVE-2026-1126 | VDB-341718 | lwj flow SVG File FormResource.java uploadFile unrestricted upload VDB-341718 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735122 | https://gitee.com/lwj/flow flowable 1.0 Arbitrary File Upload https://gitee.com/lwj/flow/issues/IDIQSE |
| mailerlite--MailerLite WooCommerce integration | The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history. | 2026-01-16 | 6.5 | CVE-2026-1000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520?source=cve https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/WooMailerLite.php#L127 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/admin/controllers/WooMailerLiteAdminSettingsController.php#L231 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/migrations/WooMailerLiteMigration.php#L33 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415073%40woo-mailerlite%2Ftrunk&old=3399626%40woo-mailerlite%2Ftrunk&sfp_email=&sfph_mail= |
| makesweat--Makesweat | The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2025-13627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88dec08d-cb27-4ea8-853e-0c12dd0a6ab6?source=cve https://it.wordpress.org/plugins/makesweat/ https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L85 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L85 |
| mallsop--List Site Contributors | The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-14 | 6.1 | CVE-2026-0594 | https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cve https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php#L435 https://plugins.trac.wordpress.org/browser/list-site-contributors/tags/1.1.8/list-site-contributors.php#L435 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | 2026-01-16 | 6.8 | CVE-2025-14435 | https://mattermost.com/security-updates |
| memsource--Phrase TMS Integration for WordPress | The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. | 2026-01-17 | 4.3 | CVE-2025-12168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/396f2426-7bc4-4221-bc48-920bec5af6e5?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426034%40memsource-connector&new=3426034%40memsource-connector&sfp_email=&sfph_mail= |
| metagauss--EventPrime Events Calendar, Bookings and Tickets | The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0. | 2026-01-13 | 5.3 | CVE-2025-14507 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b170ed1-72ee-40b6-9882-e978d630f6bb?source=cve https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L447 https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L651 https://plugins.trac.wordpress.org/changeset/3422587/ https://plugins.trac.wordpress.org/changeset/3432454/ |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network. | 2026-01-13 | 5.4 | CVE-2026-20958 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 4.6 | CVE-2026-20959 | Microsoft SharePoint Server Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to perform tampering over a network. | 2026-01-13 | 6.5 | CVE-2026-20812 | LDAP Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20821 | Remote Procedure Call Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20847 | Microsoft Windows File Explorer Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20872 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20925 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system's certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates. | 2026-01-13 | 6.4 | CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20823 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows Remote Assistance allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 5.5 | CVE-2026-20824 | Windows Remote Assistance Security Feature Bypass Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20827 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows TPM allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20829 | TPM Trustlet Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20839 | Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Management Services allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20862 | Windows Management Services Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network. | 2026-01-13 | 5.3 | CVE-2026-20927 | Windows SMB Server Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20932 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20937 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20939 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20825 | Windows Hyper-V Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows Internet Connection Sharing (ICS) allows an unauthorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20828 | Windows rndismp6.sys Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Absolute path traversal in Windows Shell allows an unauthorized attacker to perform spoofing with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20834 | Windows Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.3 | CVE-2026-20936 | Windows NDIS Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20935 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20819 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20962 | Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability |
| Microsoft--Windows Server 2019 | Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20818 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft--Windows Server 2019 | Use of a broken or risky cryptographic algorithm in Windows Kerberos allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20833 | Windows Kerberos Information Disclosure Vulnerability |
| Microsoft--Windows Server 2022 | Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20838 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20851 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 6.7 | CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20835 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| monetizemore--Advanced Ads Ad Manager & AdSense | The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-17 | 4.9 | CVE-2025-12984 | https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail= |
| mPDF--mPDF | mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. | 2026-01-13 | 6.2 | CVE-2022-50897 | ExploitDB-50995 Official mPDF Project Homepage VulnCheck Advisory: mPDF 7.0 - Local File Inclusion |
| n/a--EyouCMS | A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 6.3 | CVE-2026-1107 | VDB-341699 | EyouCMS Member Avatar Diyajax.php check_userinfo unrestricted upload VDB-341699 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731540 | Hainan Zanzan Network Technology Co. Eyoucms <=1.7.1 causing code execution due to file inclusion https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md#poc |
| n/a--Mapnik | A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 5.3 | CVE-2025-15537 | VDB-341709 | Mapnik dbfile.cpp string_value heap-based overflow VDB-341709 | CTI Indicators (IOB, IOC, IOA) Submit #733348 | mapnik Mapnik v4.2.0 and master-branch Heap-based Buffer Overflow https://github.com/mapnik/mapnik/issues/4543 https://github.com/oneafter/1218/blob/main/repro |
| n/a--net.sourceforge.plantuml:plantuml | Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG. | 2026-01-16 | 6.1 | CVE-2026-0858 | https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230 https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd https://github.com/plantuml/plantuml/releases/tag/v1.2026.0 |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue. | 2026-01-16 | 5.3 | CVE-2025-15528 | VDB-341595 | Open5GS GTPv2 Bearer Response denial of service VDB-341595 | CTI Indicators (IOB, IOC, TTP) Submit #728128 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4225 https://github.com/open5gs/open5gs/issues/4225#issue-3769531006 https://github.com/open5gs/open5gs/commit/98f76e98df35cd6a35e868aa62715db7f8141ac1 |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. To fix this issue, it is recommended to deploy a patch. | 2026-01-16 | 5.3 | CVE-2025-15529 | VDB-341596 | Open5GS s5c-handler.c sgwc_s5c_handle_create_session_response denial of service VDB-341596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728130 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4226 https://github.com/open5gs/open5gs/issues/4226#issue-3769595366 https://github.com/open5gs/open5gs/commit/b19cf6a2dbf5d30811be4488bf059c865bd7d1d2 |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. Executing a manipulation can lead to reachable assertion. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15530 | VDB-341597 | Open5GS s11-handler.c assertion VDB-341597 | CTI Indicators (IOB, IOC, IOA) Submit #728987 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4231 https://github.com/open5gs/open5gs/issues/4231#issue-3774187007 |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15531 | VDB-341598 | Open5GS context.c sgwc_bearer_add assertion VDB-341598 | CTI Indicators (IOB, IOC, IOA) Submit #729339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4233 https://github.com/open5gs/open5gs/issues/4233#issue-3776216182 |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The patch is identified as c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. It is best practice to apply a patch to resolve this issue. | 2026-01-17 | 5.3 | CVE-2025-15532 | VDB-341599 | Open5GS Timer resource consumption VDB-341599 | CTI Indicators (IOB, IOC, TTP) Submit #729354 | Open5GS SGWC v2.7.6 Denial of Service Submit #729357 | Open5GS SGWC v2.7.6 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4220 https://github.com/open5gs/open5gs/issues/4221 https://github.com/open5gs/open5gs/issues/4220#issue-3766066853 https://github.com/open5gs/open5gs/commit/c7c131f8d2cb1195ada5e0e691b6868ebcd8a845 |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. | 2026-01-18 | 5.3 | CVE-2025-15539 | VDB-341732 | Open5GS sgwc s11-handler.c sgwc_s11_handle_downlink_data_notification_ack denial of service VDB-341732 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4230 https://github.com/open5gs/open5gs/issues/4230#issue-3774173079 https://github.com/open5gs/open5gs/commit/b4707272c1caf6a7d4dca905694ea55557a0545f |
| n8n-io--n8n | n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node's IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0. | 2026-01-13 | 5.3 | CVE-2025-68949 | https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp https://github.com/n8n-io/n8n/issues/23399 https://github.com/n8n-io/n8n/pull/23399 https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5 |
| naa986--Payment Button for PayPal | The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place. | 2026-01-17 | 5.3 | CVE-2025-14463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/814e50de-3690-4adf-bc01-a63cd71bd1cf?source=cve https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3431974%40wp-paypal&new=3431974%40wp-paypal&sfp_email=&sfph_mail= |
| netcashpaynow--Netcash WooCommerce Payment Gateway | The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed. | 2026-01-14 | 5.3 | CVE-2025-14880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127 |
| ninjateam--WP Duplicate Page | The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders. | 2026-01-13 | 5.4 | CVE-2025-14001 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60830ed8-3ab8-44e8-899c-7032a187da8b?source=cve https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L54 https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L79 https://plugins.trac.wordpress.org/changeset/3432233/ |
| nofearinc--WP-CRM System Manage Clients and Projects | The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. | 2026-01-14 | 5.4 | CVE-2025-14854 | https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942 https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177 |
| NSecsoft--NSecKrnl | NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver. | 2026-01-13 | 4.7 | CVE-2025-68947 | url url url url url |
| obridgeacademy--WPBlogSyn | The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/141137a4-609f-4ea9-beba-d37b48144c29?source=cve https://plugins.trac.wordpress.org/browser/wpblogsync/tags/1.0/blogsync.php#L14 |
| Open Asset Import Library--Assimp | A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128. | 2026-01-18 | 5.3 | CVE-2025-15538 | VDB-341727 | Open Asset Import Library Assimp LWOMaterial.cpp FindUVChannels use after free VDB-341727 | CTI Indicators (IOB, IOC, IOA) Submit #735232 | Open Asset Import Library Assimp 6.0.2 Use After Free https://github.com/assimp/assimp/issues/6258 https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530 https://github.com/user-attachments/files/21216542/assimp_poc10.zip |
| opencryptoki--opencryptoki | openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service. | 2026-01-13 | 6.6 | CVE-2026-22791 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7 https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7 https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 |
| OpenSC project--pam_pkcs11 | In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. | 2026-01-16 | 6.7 | CVE-2025-24531 | https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-7mf6-rg36-qgch https://github.com/OpenSC/pam_pkcs11/releases https://www.openwall.com/lists/oss-security/2025/02/06/3 |
| opensourcepos--opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission "Configuration: Change OSPOS's Configuration" can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user's browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2. | 2026-01-13 | 4.3 | CVE-2025-68658 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-32r8-8r9r-9chw https://github.com/opensourcepos/opensourcepos/commit/849439c71eaa4c15857fb7c603297261c2ddc26d |
| paultgoodchild--Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user. | 2026-01-16 | 4.3 | CVE-2025-15370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0?source=cve https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/MfaGoogleAuthToggle.php https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall |
| payhere--PayHere Payment Gateway Plugin for WooCommerce | The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold. | 2026-01-14 | 5.3 | CVE-2025-15475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709 |
| perfitdev--Perfit WooCommerce | The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter. | 2026-01-14 | 5.3 | CVE-2025-14173 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102 https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102 |
| Phpwcms--Phpwcms | Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform. | 2026-01-15 | 5.4 | CVE-2021-47783 | ExploitDB-50363 Official Product Homepage VulnCheck Advisory: Phpwcms 1.9.30 - Arbitrary File Upload |
| pimcore--pimcore | Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1. | 2026-01-15 | 5.4 | CVE-2026-23496 | https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r https://github.com/pimcore/web2print-tools/pull/108 https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1 https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2 https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1 |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 4.3 | CVE-2026-23494 | https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf https://github.com/pimcore/pimcore/pull/18893 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| pimcore--pimcore | Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16. | 2026-01-15 | 4.3 | CVE-2026-23495 | https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.1 | CVE-2026-22695 | https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp https://github.com/pnggroup/libpng/issues/778 https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea https://github.com/pnggroup/libpng/commit/e4f7ad4ea2 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.8 | CVE-2026-22801 | https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 |
| prasannasp--Short Link | The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0813 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8623d2cc-dcdd-4453-9a86-669bdd44eae1?source=cve https://plugins.trac.wordpress.org/browser/short-link/tags/1.0/short-link.php#L118 https://plugins.trac.wordpress.org/browser/short-link/trunk/short-link.php#L118 |
| radykal--Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | 2026-01-16 | 5.3 | CVE-2025-15526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| raysan5--raylib | A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue. | 2026-01-18 | 5.3 | CVE-2025-15533 | VDB-341705 | raysan5 raylib rtext.c GenImageFontAtlas heap-based overflow VDB-341705 | CTI Indicators (IOB, IOC, IOA) Submit #733341 | raysan5 raylib 909f040 Heap-based Buffer Overflow Submit #733342 | raysan5 raylib 909f040 Heap-based Buffer Overflow (Duplicate) https://github.com/raysan5/raylib/issues/5433 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/hbf2 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| raysan5--raylib | A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. The manipulation leads to integer overflow. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The identifier of the patch is 5a3391fdce046bc5473e52afbd835dd2dc127146. It is suggested to install a patch to address this issue. | 2026-01-18 | 5.3 | CVE-2025-15534 | VDB-341706 | raysan5 raylib rtext.c LoadFontData integer overflow VDB-341706 | CTI Indicators (IOB, IOC, IOA) Submit #733343 | raysan5 raylib 909f040 Integer Overflow https://github.com/raysan5/raylib/issues/5436 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/segv1 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'className' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-16 | 6.1 | CVE-2025-14375 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d2dde13-2940-478e-8e2b-baf60003754a?source=cve https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. | 2026-01-14 | 6.5 | CVE-2025-14242 | RHSA-2026:0605 RHSA-2026:0606 RHSA-2026:0608 https://access.redhat.com/security/cve/CVE-2025-14242 RHBZ#2419826 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. | 2026-01-15 | 5.9 | CVE-2026-0990 | https://access.redhat.com/security/cve/CVE-2026-0990 RHBZ#2429959 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted. | 2026-01-13 | 4.8 | CVE-2026-0716 | https://access.redhat.com/security/cve/CVE-2026-0716 RHBZ#2427896 https://gitlab.gnome.org/GNOME/libsoup/-/issues/476 |
| rndsand81--Stopwords for comments | The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it possible for unauthenticated attackers to add or delete stopwords via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd8c45c7-dbb2-46ab-8e50-e02062587b00?source=cve https://plugins.trac.wordpress.org/browser/stopwords-for-comments/trunk/functions.php?marks=151,170#L151 |
| roxnor--GetGenie AI Content Writer with Keyword Research & SEO Tracking Tools | The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users. | 2026-01-16 | 4.3 | CVE-2026-1003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38ec647a-3c0c-4d3c-ba34-64c17803867b?source=cve https://plugins.trac.wordpress.org/browser/getgenie/trunk/app/Api/GetGenieChat.php#L153 https://plugins.trac.wordpress.org/changeset/3436920/ |
| saadiqbal--Quick Contact Form | The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details. | 2026-01-17 | 5.8 | CVE-2025-12718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail= |
| sablab--Internal Link Builder | The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1febe071-b296-4958-a9e8-9be9391f2390?source=cve https://plugins.trac.wordpress.org/browser/internal-link-builder/trunk/InternalLinkBuilder.php#L133 |
| Sanluan--PublicCMS | A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1112 | VDB-341704 | Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization VDB-341704 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732771 | publiccms PublicCMS <= V5.202506.d Insecure Direct Object Reference (IDOR) https://github.com/AnalogyC0de/public_exp/issues/4 |
| Sanluan--PublicCMS | A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 4.7 | CVE-2026-1111 | VDB-341703 | Sanluan PublicCMS Task Template Management TaskTemplateAdminController.java save path traversal VDB-341703 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732726 | publiccms PublicCMS <= V5.202506.d Remote Code Execution (RCE) https://github.com/AnalogyC0de/public_exp/issues/2 |
| SAP_SE--Business Server Pages Application (Product Designer Web UI) | SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. | 2026-01-13 | 4.3 | CVE-2026-0497 | https://me.sap.com/notes/3677111 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business Connector | Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability. | 2026-01-13 | 6.1 | CVE-2026-0514 | https://me.sap.com/notes/3666061 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) | Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability. | 2026-01-13 | 6.4 | CVE-2026-0503 | https://me.sap.com/notes/3681523 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 6.6 | CVE-2026-0496 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 5.1 | CVE-2026-0495 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability. | 2026-01-13 | 4.3 | CVE-2026-0493 | https://me.sap.com/notes/3655229 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. | 2026-01-13 | 4.3 | CVE-2026-0494 | https://me.sap.com/notes/3655227 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability. | 2026-01-13 | 6.1 | CVE-2026-0499 | https://me.sap.com/notes/3687372 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Supplier Relationship Management (SICF Handler in SRM Catalog) | Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted. | 2026-01-13 | 4.7 | CVE-2026-0513 | https://me.sap.com/notes/3638716 https://url.sap/sapsecuritypatchday |
| SchedMD--Slurm | In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. | 2026-01-16 | 4.2 | CVE-2025-43904 | https://www.schedmd.com/security-policy/ https://lists.schedmd.com/mailman3/hyperkitty/list/slurm-announce@lists.schedmd.com/message/B73QHKW6TKE2T5KDWVPIWNE5H4KWX667/ |
| Schlix--Schlix CMS | Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. | 2026-01-16 | 6.4 | CVE-2021-47834 | ExploitDB-49837 Vendor Homepage VulnCheck Advisory: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) |
| searchwiz--SearchWiz | The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page. | 2026-01-14 | 6.4 | CVE-2026-0694 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616 https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616 |
| shoheitanaka--PAYGENT for WooCommerce | The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint. | 2026-01-17 | 5.3 | CVE-2025-14078 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= |
| SICK AG--Incoming Goods Suite | The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. | 2026-01-15 | 6.8 | CVE-2026-22637 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | 2026-01-15 | 5.5 | CVE-2026-22640 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. | 2026-01-15 | 5 | CVE-2026-22641 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access. | 2026-01-15 | 5.3 | CVE-2026-22644 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. | 2026-01-15 | 5.3 | CVE-2026-22645 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 | 2026-01-15 | 4.3 | CVE-2026-22639 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | 2026-01-15 | 4.2 | CVE-2026-22642 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities. | 2026-01-15 | 4.3 | CVE-2026-22646 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--TDC-X401GL | Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. | 2026-01-15 | 5.3 | CVE-2026-22911 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. | 2026-01-15 | 4.3 | CVE-2026-22912 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22913 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation. | 2026-01-15 | 4.3 | CVE-2026-22914 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. | 2026-01-15 | 4.3 | CVE-2026-22915 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration. | 2026-01-15 | 4.3 | CVE-2026-22916 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service. | 2026-01-15 | 4.3 | CVE-2026-22917 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22918 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| sigstore--fulcio | Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5. | 2026-01-12 | 5.8 | CVE-2026-22772 | https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d |
| Skyjos--Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers. | 2026-01-13 | 6.2 | CVE-2022-50891 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 Cross-Site Scripting via HTTP Server |
| SMEWebify--WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19. | 2026-01-12 | 5.4 | CVE-2026-22789 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4 https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69 |
| smings--LEAV Last Email Address Validator | The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-16 | 4.3 | CVE-2025-14853 | https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257 |
| smub--All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token. | 2026-01-16 | 4.3 | CVE-2025-14384 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack |
| socialchampio--SocialChamp with WordPress | The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157 |
| softwarepub--hermes | hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1. | 2026-01-12 | 5.9 | CVE-2026-22798 | https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23 https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514 |
| specialk--User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0913 | https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20 https://plugins.trac.wordpress.org/changeset/3439027/ |
| Spring--CLI VSCode Extension | The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. | 2026-01-14 | 6.8 | CVE-2026-22718 | https://spring.io/security/cve-2026-22718 |
| stylemix--Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment. | 2026-01-16 | 5.3 | CVE-2025-14757 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b8415e5f-17a4-425c-ac28-5dd886d1bcf1?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L408 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L98 https://plugins.trac.wordpress.org/changeset/3437516/cost-calculator-builder/trunk/includes/classes/CCBOrderController.php?old=3426823&old_path=cost-calculator-builder%2Ftrunk%2Fincludes%2Fclasses%2FCCBOrderController.php |
| sweetdaisy86--RepairBuddy Repair Shop CRM & Booking Plugin for WordPress | The RepairBuddy - Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes. | 2026-01-17 | 5.3 | CVE-2026-0820 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2ad299-03b1-4b9e-a241-d2ad2d85c3ac?source=cve https://plugins.trac.wordpress.org/browser/computer-repair-shop/trunk/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/browser/computer-repair-shop/tags/4.1116/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436356%40computer-repair-shop&new=3436356%40computer-repair-shop&sfp_email=&sfph_mail= |
| Syed Balkhi--WPForms | WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser. | 2026-01-13 | 6.1 | CVE-2020-36919 | ExploitDB-51152 WPForms Lite Plugin Homepage VulnCheck Advisory: WPForms 1.7.8 - Cross-Site Scripting (XSS) |
| techknowprime--Responsive Accordion Slider | The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify any slider's image metadata including titles, descriptions, alt text, and links. | 2026-01-14 | 4.3 | CVE-2026-0635 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55cfb2c6-ca3f-45b7-8cd9-a5a1c3783ae0?source=cve https://plugins.trac.wordpress.org/browser/responsive-accordion-slider/tags/1.2.2/includes/admin/class-ras-admin.php#L101 |
| Testa--Testa | Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context. | 2026-01-13 | 6.1 | CVE-2022-50896 | ExploitDB-51023 Archived Product Homepage VulnCheck Advisory: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) |
| thimpress--Thim Blocks | The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php. | 2026-01-17 | 6.5 | CVE-2025-13725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail= |
| thimpress--WP Hotel Booking | The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. | 2026-01-17 | 5.3 | CVE-2025-14075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=cve https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L36 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429399%40wp-hotel-booking&new=3429399%40wp-hotel-booking&sfp_email=&sfph_mail= |
| thundernest--ImportExportTools NG | ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. | 2026-01-15 | 6.1 | CVE-2021-47768 | ExploitDB-50496 ImportExportTools NG GitHub Repository Thunderbird Addon Page Vulnerability-Lab Disclosure |
| torstenbulk--DK PDF WordPress PDF Generator | The DK PDF - WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-16 | 5 | CVE-2025-14793 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7?source=cve https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/Frontend/WordPressIntegration.php?marks=22-25#L22 https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/PDF/Generator.php?marks=24-56#L24 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/modules/PDF/DocumentBuilder.php#L213 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/templates/dkpdf-index.php#L134 |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. | 2026-01-15 | 5.9 | CVE-2026-22045 | https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d https://github.com/traefik/traefik/releases/tag/v2.11.35 https://github.com/traefik/traefik/releases/tag/v3.6.7 |
| treeverse--lakeFS | lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0. | 2026-01-15 | 6.5 | CVE-2025-68671 | https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f https://github.com/treeverse/lakeFS/issues/9599 https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8 |
| Ttyplus--MTPutty | MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. | 2026-01-15 | 6.2 | CVE-2021-47759 | ExploitDB-50574 Official MTPutty Product Homepage |
| Ubeeinteractive--Ubee EVW327 | Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent. | 2026-01-16 | 5.3 | CVE-2021-47820 | ExploitDB-49920 Ubee Interactive Official Homepage VulnCheck Advisory: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) |
| umbraco--Umbraco | Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts. | 2026-01-15 | 5.3 | CVE-2021-47776 | ExploitDB-50462 Umbraco Official Homepage Umbraco CMS Release Notes |
| Vertiv--Cyclades Serial Console Server | Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricted sudo permissions. | 2026-01-13 | 6.2 | CVE-2022-50927 | ExploitDB-50773 Vertiv Official Homepage VulnCheck Advisory: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation |
| VideoLAN--VLC media player | mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server. | 2026-01-16 | 4.8 | CVE-2025-51602 | https://www.videolan.org/security/sb-vlc3022.html https://code.videolan.org/videolan/vlc/-/issues/29146 |
| Visual-Tools--Visual Tools DVR VX16 | Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges. | 2026-01-15 | 6.2 | CVE-2021-47799 | ExploitDB-50104 Official Vendor Homepage |
| vk011--Real Post Slider Lite | The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0680 | https://www.wordfence.com/threat-intel/vulnerabilities/id/324fd823-8ec9-4187-8694-6160bad8e093?source=cve https://plugins.trac.wordpress.org/browser/real-post-slider-lite/trunk/real-post-slider-lite.php#L130 https://plugins.trac.wordpress.org/browser/real-post-slider-lite/tags/2.4/real-post-slider-lite.php#L130 |
| webbu--WMF Mobile Redirector | The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0739 | https://www.wordfence.com/threat-intel/vulnerabilities/id/037b5c2c-510a-4fa5-b489-cb0478603be2?source=cve https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L62 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L62 |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. | 2026-01-12 | 5.3 | CVE-2026-22251 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766 https://github.com/WeblateOrg/wlc/pull/1098 https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797 |
| Wireshark Foundation--Wireshark | IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0959 | https://www.wireshark.org/security/wnpa-sec-2026-02.html GitLab Issue #20939 |
| Wireshark Foundation--Wireshark | BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.5 | CVE-2026-0961 | https://www.wireshark.org/security/wnpa-sec-2026-01.html GitLab Issue #20880 |
| Wireshark Foundation--Wireshark | SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0962 | https://www.wireshark.org/security/wnpa-sec-2026-03.html GitLab Issue #20945 |
| Wireshark Foundation--Wireshark | HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service | 2026-01-14 | 4.7 | CVE-2026-0960 | https://www.wireshark.org/security/wnpa-sec-2026-04.html GitLab Issue #20944 |
| wpcenter--AffiliateX Amazon Affiliate Plugin | The AffiliateX - Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. | 2026-01-15 | 6.4 | CVE-2025-13859 | https://www.wordfence.com/threat-intel/vulnerabilities/id/36d57b8d-7e62-413b-8ea9-87963b8cd469?source=cve https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/functions/AjaxFunctions.php https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/helpers/class-affiliatex-helpers.php |
| wpchill--Filr Secure document library | The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type. | 2026-01-17 | 4.4 | CVE-2025-14632 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16c3a8d-bae1-4729-86c8-ec13481ff187?source=cve https://plugins.trac.wordpress.org/browser/filr-protection/trunk/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/browser/filr-protection/tags/1.2.10/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425333%40filr-protection&new=3425333%40filr-protection&sfp_email=&sfph_mail= |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. | 2026-01-16 | 4.3 | CVE-2025-14982 | https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158 https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661 https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail= |
| wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. | 2026-01-16 | 5.3 | CVE-2026-1004 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef9a21-e2b9-40c7-9de5-cff175fa10a5?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L820 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L64 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L65 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L832 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L1439 https://github.com/WPDevelopers/essential-addons-for-elementor-lite/commit/4e43db06bcf12870cc3b185ed59b3fe2cd227945 |
| wpswings--Wallet System for WooCommerce Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments | The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances. | 2026-01-17 | 6.5 | CVE-2025-14450 | https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail= |
| xiweicheng--TMS | A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. | 2026-01-17 | 6.3 | CVE-2026-1061 | VDB-341629 | xiweicheng TMS FileController.java upload unrestricted upload VDB-341629 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731240 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Unrestricted Upload https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| xiweicheng--TMS | A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-01-17 | 6.3 | CVE-2026-1062 | VDB-341630 | xiweicheng TMS HtmlUtil.java summary server-side request forgery VDB-341630 | CTI Indicators (IOB, IOC, IOA) Submit #731241 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery Submit #731242 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery (Duplicate) https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%881%EF%BC%89.md https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%882%EF%BC%89.md |
| Xmind--Xmind | Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening. | 2026-01-16 | 6.1 | CVE-2021-47844 | ExploitDB-49827 Official Xmind Product Homepage Proof of Concept Video VulnCheck Advisory: Xmind 2020 - Persistent Cross-Site Scripting |
| YouPHPTube--YouPHPTube | YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences. | 2026-01-13 | 6.2 | CVE-2021-47749 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 - Directory Traversal |
| YouPHPTube--YouPHPTube | YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page. | 2026-01-13 | 6.1 | CVE-2021-47750 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 - Cross-Site Scripting |
| zealopensource--User Registration Using Contact Form 7 | The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets. | 2026-01-17 | 5.3 | CVE-2025-12825 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail= |
| Zippy--Zstore | Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. | 2026-01-13 | 6.1 | CVE-2023-53985 | ExploitDB-51207 Zstore/Zippy-CRM Product Homepage Zstore/Zippy-CRM GitHub Repository Vulnerability Reproduction Repository VulnCheck Advisory: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS) |
| zitadel--zitadel | ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. | 2026-01-15 | 5.3 | CVE-2026-23511 | https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2 https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d https://github.com/zitadel/zitadel/releases/tag/v3.4.6 https://github.com/zitadel/zitadel/releases/tag/v4.9.1 |
| Zohocorp--ManageEngine ADManager Plus | Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module | 2026-01-13 | 5.5 | CVE-2025-9435 | https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-9435.html |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| andy_moyle--Church Admin | The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-17 | 2.2 | CVE-2026-0682 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail= |
| bestpractical--Request Tracker | Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | 2026-01-16 | 2.6 | CVE-2025-61873 | https://docs.bestpractical.com/release-notes/rt/index.html |
| Fortinet--FortiSandbox | A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests. | 2026-01-13 | 3.4 | CVE-2025-67685 | https://fortiguard.fortinet.com/psirt/FG-IR-25-783 |
| glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. | 2026-01-15 | 3.7 | CVE-2025-14457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51?source=cve https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7 |
| Lenovo--Tab M11 TB330FU TB330XU | A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. | 2026-01-14 | 3.2 | CVE-2025-14058 | https://support.lenovo.com/us/en/product_security/LEN-207951 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | 2026-01-16 | 3.1 | CVE-2025-14822 | https://mattermost.com/security-updates |
| n/a--LigeroSmart | A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1048 | VDB-341600 | LigeroSmart index.pl cross site scripting VDB-341600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729399 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/279 https://github.com/LigeroSmart/ligerosmart/issues/279#issue-3775562926 |
| n/a--LigeroSmart | A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1049 | VDB-341601 | LigeroSmart index.pl cross site scripting VDB-341601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729402 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/280 https://github.com/LigeroSmart/ligerosmart/issues/280#issue-3776580352 |
| nicbarker--clay | A security flaw has been discovered in nicbarker clay up to 0.14. This affects the function Clay__MeasureTextCached in the library clay.h. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 3.3 | CVE-2025-15535 | VDB-341707 | nicbarker clay clay.h Clay__MeasureTextCached null pointer dereference VDB-341707 | CTI Indicators (IOB, IOC, IOA) Submit #733346 | nicbarker clay v0.14 and master-branch Memory Corruption https://github.com/nicbarker/clay/issues/566 https://github.com/oneafter/1215/blob/main/repro |
| nodejs--undici | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0. | 2026-01-14 | 3.7 | CVE-2026-22036 | https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9 https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable. | 2026-01-15 | 3.7 | CVE-2026-0976 | https://access.redhat.com/security/cve/CVE-2026-0976 RHBZ#2429869 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. | 2026-01-15 | 3.7 | CVE-2026-0989 | https://access.redhat.com/security/cve/CVE-2026-0989 RHBZ#2429933 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. | 2026-01-15 | 2.9 | CVE-2026-0992 | https://access.redhat.com/security/cve/CVE-2026-0992 RHBZ#2429975 |
| SAP_SE--NW AS Java UME User Mapping | The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application. | 2026-01-13 | 3 | CVE-2026-0510 | https://me.sap.com/notes/3593356 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Identity Management | Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability. | 2026-01-13 | 3.8 | CVE-2026-0504 | https://me.sap.com/notes/3657998 https://url.sap/sapsecuritypatchday |
| SICK AG--TDC-X401GL | An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. | 2026-01-15 | 3.8 | CVE-2026-22919 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks. | 2026-01-15 | 3.7 | CVE-2026-22920 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| THM-Health--PILOS | PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0. | 2026-01-12 | 2.4 | CVE-2026-22800 | https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9 https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. | 2026-01-12 | 2.5 | CVE-2026-22250 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh https://github.com/WeblateOrg/wlc/pull/1097 https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AbhishekMali21--AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents. | 2026-01-12 | not yet calculated | CVE-2025-67146 | https://github.com/AbhishekMali21/GYM-MANAGEMENT-SYSTEM/issues/4 |
| AbhishekMali21--AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. | 2026-01-12 | not yet calculated | CVE-2025-67147 | https://github.com/amansuryawanshi/Gym-Management-System-PHP/issues/3 |
| Absolute Security--Secure Access | CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash | 2026-01-17 | not yet calculated | CVE-2026-0517 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0517 |
| Absolute Security--Secure Access | CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator's use of the console. | 2026-01-17 | not yet calculated | CVE-2026-0518 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0518 |
| Absolute Security--Secure Access | In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | 2026-01-17 | not yet calculated | CVE-2026-0519 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0519 |
| Acora--Acora | A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack. | 2026-01-12 | not yet calculated | CVE-2025-63314 | http://ddsn.com http://acora.com https://github.com/padayali-JD/CVE-2025-63314 |
| adonisjs--lucid | @adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6. | 2026-01-13 | not yet calculated | CVE-2026-22814 | https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f |
| Airth--Airth | An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access | 2026-01-14 | not yet calculated | CVE-2025-67399 | http://airth.com https://github.com/rupeshsurve04/CVE-2025-67399/blob/main/AIRTH_SMART_HOME_AQI_MONITOR_CVE-2025-67399.pdf |
| akinloluwami--outray | Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5. | 2026-01-14 | not yet calculated | CVE-2026-22820 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7 https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581 |
| alextselegidis--easyappointments | Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover. | 2026-01-15 | not yet calculated | CVE-2026-23622 | https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj |
| AltumCode--AltumCode | Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | 2026-01-12 | not yet calculated | CVE-2025-66939 | https://66biolinks.com/ https://gist.github.com/Waqar-Arain/2a21b135a04e7804c124688ea1085875 |
| AMD--AMD EPYC 9004 Series Processors | Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest. | 2026-01-16 | not yet calculated | CVE-2025-29943 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3027.html |
| anomalyco--opencode | OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10. | 2026-01-12 | not yet calculated | CVE-2026-22813 | https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp |
| Anycomment--Anycomment | Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | 2026-01-15 | not yet calculated | CVE-2025-67025 | https://bdu.fstec.ru/vul/2023-08900 https://anycomment.io/site/changelog |
| Apache Software Foundation--Apache Airflow | In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68438 | https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff |
| Apache Software Foundation--Apache Airflow | In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68675 | https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5 |
| Apache Software Foundation--Apache bRPC | Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually. | 2026-01-16 | not yet calculated | CVE-2025-60021 | https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m |
| Apache Software Foundation--Apache Camel Neo4j | Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. | 2026-01-14 | not yet calculated | CVE-2025-66169 | https://camel.apache.org/security/CVE-2025-66169.html |
| Apple--iOS and iPadOS | The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to corrupt coprocessor memory. | 2026-01-16 | not yet calculated | CVE-2024-44238 | https://support.apple.com/en-us/121563 |
| Apple--iOS and iPadOS | This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. A user may be able to view restricted content from the lock screen. | 2026-01-16 | not yet calculated | CVE-2024-54556 | https://support.apple.com/en-us/121563 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24089 | https://support.apple.com/en-us/122066 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24090 | https://support.apple.com/en-us/122066 |
| Apple--macOS | This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data. | 2026-01-16 | not yet calculated | CVE-2024-44210 | https://support.apple.com/en-us/121564 |
| Apple--macOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2026-01-16 | not yet calculated | CVE-2025-43508 | https://support.apple.com/en-us/125634 |
| Apple--Xcode | A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences. | 2026-01-16 | not yet calculated | CVE-2025-31186 | https://support.apple.com/en-us/122380 |
| Arm--Neoverse-N2 | In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by the TLBI. | 2026-01-14 | not yet calculated | CVE-2025-0647 | https://developer.arm.com/documentation/111546 |
| Assaf Parag--Poll, Survey & Quiz Maker Plugin by Opinion Stage | Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page. | 2026-01-16 | not yet calculated | CVE-2019-25297 | https://wpscan.com/vulnerability/4ed1edd6-3813-44a3-bee7-f07c1774b679/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-polls-by-opinionstage/poll-survey-quiz-maker-plugin-by-opinion-stage-19625-unauthenticated-stored-cross-site-scripting https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-poll-survey-form-quiz-maker-by-opinionstage-cross-site-scripting-19-6-24/ https://wordpress.org/plugins/social-polls-by-opinionstage/ https://plugins.trac.wordpress.org/changeset/2158590/social-polls-by-opinionstage https://web.archive.org/web/20191020011448/https://www.pluginvulnerabilities.com/2019/09/16/hackers-may-already-be-targeting-this-persistent-xss-vulnerability-in-poll-survey-form-quiz-maker-by-opinionstage/ https://www.vulncheck.com/advisories/poll-survey-and-quiz-maker-plugin-by-opinion-stage-stored-xss |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges | 2026-01-12 | not yet calculated | CVE-2025-46066 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/4e325d09d08e16efb506076da2184f42 |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file | 2026-01-12 | not yet calculated | CVE-2025-46067 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/98204cff0065e611cf9e9acc3be59e03 |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism | 2026-01-12 | not yet calculated | CVE-2025-46068 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/00ea6cce1299e1d999b5d1faac4248f1 |
| Automai--Automai | An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component | 2026-01-12 | not yet calculated | CVE-2025-46070 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/776dd7e927d9b2f8ef10807abe124f8e |
| bee interactive--Livewire Filemanager | Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed. | 2026-01-16 | not yet calculated | CVE-2025-14894 | https://github.com/livewire-filemanager/filemanager https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform. | 2026-01-14 | not yet calculated | CVE-2026-22236 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality. | 2026-01-14 | not yet calculated | CVE-2026-22237 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user. | 2026-01-14 | not yet calculated | CVE-2026-22238 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company. | 2026-01-14 | not yet calculated | CVE-2026-22239 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password. | 2026-01-14 | not yet calculated | CVE-2026-22240 | https://blusparkglobal.com/bluvoyix/ |
| Broadcom--DX NetOps Spectrum | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69267 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69268 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69269 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69270 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69271 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69272 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69273 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69274 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69275 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69276 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| calcom--cal.com | Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7. | 2026-01-13 | not yet calculated | CVE-2026-23478 | https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg |
| Chainlit--Chainlit | Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product. | 2026-01-14 | not yet calculated | CVE-2025-68492 | https://github.com/Chainlit/chainlit/releases https://jvn.jp/en/jp/JVN34964581/ |
| Chamillo--Chamillo | An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks. | 2026-01-16 | not yet calculated | CVE-2025-69581 | https://github.com/chamilo/chamilo-lms https://github.com/Rivek619/CVE-2025-69581 |
| Changjetong Information Technology Co., Ltd.--T+ | Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC). | 2026-01-15 | not yet calculated | CVE-2023-7334 | https://www.chanjetvip.com/product/goods/detail?id=6077e91b70fa071069139f62 https://www.freebuf.com/articles/web/381731.html https://blog.csdn.net/qq_53003652/article/details/134031230 https://blog.csdn.net/u010025272/article/details/131553591 https://github.com/MD-SEC/MDPOCS/blob/main/ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py https://www.vulncheck.com/advisories/changjetong-tplus-getstorewarehousebystore-deserialization-rce |
| cursor--cursor | Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3. | 2026-01-14 | not yet calculated | CVE-2026-22708 | https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w |
| Cyber Cafe--Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-users.php endpoint. The injected payload is stored and executed in the victim s browser when the affected page is accessed. | 2026-01-15 | not yet calculated | CVE-2025-70890 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70890 |
| Cyber Cafe--Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page. | 2026-01-15 | not yet calculated | CVE-2025-70891 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70891 |
| Cyber Cafe--Cyber Cafe | Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint. | 2026-01-15 | not yet calculated | CVE-2025-70892 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70892 |
| Cyber Cafe--Cyber Cafe | A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions. | 2026-01-15 | not yet calculated | CVE-2025-70893 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70893 |
| dask--distributed | Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | 2026-01-16 | not yet calculated | CVE-2026-23528 | https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2 https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22870 | https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22871 | https://github.com/DataDog/guarddog/security/advisories/GHSA-xg9w-vg3g-6m68 https://github.com/DataDog/guarddog/commit/9aa6a725b2c71d537d3c18d1c15621395ebb879c |
| defenseunicorns--pepr | Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the "getting started" experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5. | 2026-01-16 | not yet calculated | CVE-2026-23634 | https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5 |
| denoland--deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0. | 2026-01-15 | not yet calculated | CVE-2026-22863 | https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v https://github.com/denoland/deno/releases/tag/v2.6.0 |
| Drupal--Facebook Pixel | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. | 2026-01-14 | not yet calculated | CVE-2025-14557 | https://www.herodevs.com/vulnerability-directory/cve-2025-14557 https://d7es.tag1.com/security-advisories/facebook-pixel-less-critical-cross-site-scripting |
| Drupal--Flag | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. | 2026-01-14 | not yet calculated | CVE-2025-14556 | https://www.herodevs.com/vulnerability-directory/cve-2025-14556 https://d7es.tag1.com/security-advisories/flag-moderately-critical-cross-site-scripting-backdrop-sa-contrib-2025-011 |
| Eclipse Vert.x--Eclipse Vert.x | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); | 2026-01-15 | not yet calculated | CVE-2026-1002 | https://github.com/eclipse-vertx/vert.x/pull/5895 |
| eigent-ai--eigent | Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases. | 2026-01-13 | not yet calculated | CVE-2026-22869 | https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp https://github.com/eigent-ai/eigent/pull/836 https://github.com/eigent-ai/eigent/pull/837 https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 |
| eKoopmans--html2pdf.js | html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0. | 2026-01-14 | not yet calculated | CVE-2026-22787 | https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc https://github.com/eKoopmans/html2pdf.js/issues/865 https://github.com/eKoopmans/html2pdf.js/pull/877 https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0 |
| Emaintenance--Crazy Bubble Tea | In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS). | 2026-01-14 | not yet calculated | CVE-2025-14317 | https://crazybubble.pl/aplikacja-crazy-bubble/ https://cert.pl/posts/2026/01/CVE-2025-14317 |
| emlog--emlog | Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise. | 2026-01-12 | not yet calculated | CVE-2026-22799 | https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560 |
| Enhancesoft--osTicket | Enhancesoft osTicket versions 1.18.3 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. | 2026-01-12 | not yet calculated | CVE-2026-22200 | https://github.com/osTicket/osTicket/releases/tag/v1.18.3 https://github.com/osTicket/osTicket/commit/c59b067 https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read |
| Entrust Corporation--Instant Financial Issuance (IF) | Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. | 2026-01-15 | not yet calculated | CVE-2026-23746 | https://www.entrust.com/products/issuance-systems/instant/financial-card https://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software https://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce |
| Eptura Archibuss--Eptura Archibus | In Eptura Archibus 2024.03.01.109, the "Run script" and "Server File" components of the "Database Update Wizard" are vulnerable to directory traversal. | 2026-01-13 | not yet calculated | CVE-2025-25652 | https://eptura.com/our-platform/archibus/ https://packetstorm.news/files/id/213675 |
| Eramba-Eramba | A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. | 2026-01-13 | not yet calculated | CVE-2025-55462 | http://eramba.com https://discussions.eramba.org/t/release-3-28-0/7860 |
| esm-dev--esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue. | 2026-01-18 | not yet calculated | CVE-2026-23644 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093 https://pkg.go.dev/vuln/GO-2025-4138 |
| ethereum--go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22862 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| ethereum--go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22868 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| Flare Camera--Blurams | A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot, by shorting a data pin of the IC to ground. An attacker can then dump the entire firmware, leading to the disclosure of sensitive information including cryptographic keys and user configurations. | 2026-01-14 | not yet calculated | CVE-2025-65396 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65396/ |
| Flare Camera--Blurams | An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device's SD card. | 2026-01-14 | not yet calculated | CVE-2025-65397 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65397/ |
| flipped-aurora--gin-vue-admin | Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability. | 2026-01-12 | not yet calculated | CVE-2026-22786 | https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6 https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. | 2026-01-14 | not yet calculated | CVE-2026-23497 | https://github.com/frappe/lms/security/advisories/GHSA-78mq-3whw-69j5 https://github.com/frappe/lms/commit/e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543 |
| FreeImage--FreeImage | FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE(). | 2026-01-14 | not yet calculated | CVE-2025-70968 | https://github.com/MiracleWolf/FreeimageCrash/tree/main |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22851 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22852 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR's NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22853 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22854 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22855 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22856 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22857 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22858 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22859 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| Google--Android | In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-15 | not yet calculated | CVE-2025-36911 | https://source.android.com/security/bulletin/pixel/2026-01-01 |
| Google--Google Devices | In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-16 | not yet calculated | CVE-2025-48647 | https://source.android.com/docs/security/bulletin/pixel/2026/2026-01-01 |
| Google--Keras | Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape. | 2026-01-15 | not yet calculated | CVE-2026-0897 | https://github.com/keras-team/keras/pull/21880 |
| GPAC--GPAC | GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. | 2026-01-15 | not yet calculated | CVE-2025-70298 | https://github.com/zakkanijia/POC/blob/main/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md |
| GPAC--GPAC | A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | 2026-01-15 | not yet calculated | CVE-2025-70299 | https://github.com/zakkanijia/POC/blob/main/gpac_avi/GPAC_AVI_indx_heap_overflow.md |
| GPAC--GPAC | A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-15 | not yet calculated | CVE-2025-70302 | https://github.com/zakkanijia/POC/blob/main/gpac_ghi/ghi.md |
| GPAC--GPAC | A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 2026-01-15 | not yet calculated | CVE-2025-70303 | https://github.com/zakkanijia/POC/blob/main/gpac_uncv/GPAC_UNCV_CPAT.md |
| GPAC--GPAC | A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70304 | https://github.com/zakkanijia/POC/blob/main/gpac_vobsub/GPAC_vobsub.md |
| GPAC--GPAC | A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file. | 2026-01-15 | not yet calculated | CVE-2025-70305 | https://github.com/zakkanijia/POC/blob/main/gpac_saf/GPAC_SAF.md |
| GPAC--GPAC | A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70307 | https://github.com/zakkanijia/POC/blob/main/gpac_boxDump/GPAC_tx3g.md |
| GPAC--GPAC | An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file. | 2026-01-15 | not yet calculated | CVE-2025-70308 | https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md |
| GPAC--GPAC | A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file. | 2026-01-15 | not yet calculated | CVE-2025-70309 | https://github.com/zakkanijia/POC/blob/main/gpac_rawpcm/GPAC_RFPCM.md |
| GPAC--GPAC | A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. | 2026-01-15 | not yet calculated | CVE-2025-70310 | https://github.com/zakkanijia/POC/blob/main/gpac_dec_vorbis/GPAC_VORBIS.md |
| gradle--gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22816 | https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82 https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a |
| gradle--gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22865 | https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv |
| graphql-hive--graphql-modules | GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1. | 2026-01-16 | not yet calculated | CVE-2026-23735 | https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7 https://github.com/graphql-hive/graphql-modules/issues/2613 https://github.com/graphql-hive/graphql-modules/pull/2521 https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568 |
| Home Security System--D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or anti-replay protection, allowing an attacker within RF range to record valid alarm/control frames and replay them to trigger false alarms. | 2026-01-12 | not yet calculated | CVE-2025-65552 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65552 |
| Home Security System--D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detection or mitigations, creating a denial-of-service condition that may lead to undetected intrusions or failure to trigger safety alerts. | 2026-01-12 | not yet calculated | CVE-2025-65553 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65553 |
| https://github.com/linrunner--TLP | A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon's log settings.This issue affects TLP: from 1.9 before 1.9.1. | 2026-01-14 | not yet calculated | CVE-2025-67859 | https://security.opensuse.org/2026/01/07/tlp-polkit-authentication-bypass.html https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67859 |
| https://github.com/ShadowBlip--inputplumber | Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005. | 2026-01-14 | not yet calculated | CVE-2025-14338 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-14338 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| https://github.com/ShadowBlip--inputplumber | Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session. | 2026-01-14 | not yet calculated | CVE-2025-66005 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66005 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| Hubert Imoveis--Hubert Imoveis | An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. | 2026-01-13 | not yet calculated | CVE-2025-65783 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65783 |
| Hubert Imoveis--Hubert Imoveis | Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request. | 2026-01-13 | not yet calculated | CVE-2025-65784 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65784 |
| HumanSignal--label-studio | Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users' browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim's API token or call token reset endpoints - enabling full account takeover and unauthorized API access. | 2026-01-12 | not yet calculated | CVE-2026-22033 | https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch https://github.com/HumanSignal/label-studio/pull/9084 https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-10865 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform. | 2026-01-13 | not yet calculated | CVE-2025-25176 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | 2026-01-13 | not yet calculated | CVE-2025-58409 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-58411 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imaster--MEMS Events CRM | Imaster's MEMS Events CRM contains an SQL injection vulnerability in'keyword' parameter in '/memsdemo/exchange_offers.php'. | 2026-01-12 | not yet calculated | CVE-2025-41005 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--MEMS Events CRM | Imaster's MEMS Events CRM contains an SQL injection vulnerability in 'phone' parameter in '/memsdemo/login.php'. | 2026-01-12 | not yet calculated | CVE-2025-41006 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--Patient Record Management System | Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint '/projects/hospital/admin/edit_patient.php'. By injecting a malicious script into the 'firstname' parameter, the JavaScript code is stored and executed every time a user accesses the patient list, allowing an attacker to execute arbitrary JavaScript in a victim's browser. | 2026-01-12 | not yet calculated | CVE-2025-41003 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--Patient Record Management System | Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint '/projects/hospital/admin/complaints.php' through the 'id' parameter. | 2026-01-12 | not yet calculated | CVE-2025-41004 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| InvoicePlane--InvoicePlane | An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. | 2026-01-15 | not yet calculated | CVE-2025-67082 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane--InvoicePlane | Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. | 2026-01-15 | not yet calculated | CVE-2025-67083 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane--InvoicePlane | File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). | 2026-01-15 | not yet calculated | CVE-2025-67084 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| ippprint--Sagemcom | Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-29329 | http://sagemcom.com http://fst.com https://github.com/SilverS3c/Sagemcom-fast-3686-ippprint |
| isaacs--node-tar | node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. | 2026-01-16 | not yet calculated | CVE-2026-23745 | https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e |
| Itflow--Itflow | An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter. | 2026-01-15 | not yet calculated | CVE-2025-67081 | https://github.com/itflow-org/itflow https://www.helx.io/blog/advisory-itflow/ |
| KACE--KACE | Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication | 2026-01-12 | not yet calculated | CVE-2025-67813 | https://quest.com https://support.quest.com/kb/4381743/quest-kace-desktop-authority-insecure-named-pipe-permissions-cve-2025-67813 |
| kashipara--kashipara | A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-51567 | https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Online%20Exam%20System/SQL%20Injection-Profile%20Update.pdf |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23725 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23726 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h7qx-j7g3-7fx3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23727 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmq9-8p4w-m4f3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23728 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jf25-p56f-wpgh https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23729 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w88p-v7h6-m728 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23730 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6gx4-6gwv-cxc3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LangChain AI--LangChain | LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition. | 2026-01-12 | not yet calculated | CVE-2024-58340 | https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb https://www.langchain.com/ https://github.com/langchain-ai/langchain https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos |
| Lemonsoft--WordPress add-on | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. | 2026-01-13 | not yet calculated | CVE-2025-9427 | https://lemondoc.atlassian.net/wiki/spaces/LEMONSHOP/pages/754909038/Versiohistoria+-+Lemonsoft+integration+lis+osa |
| Libsndfile--Libsndfile | Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file. | 2026-01-14 | not yet calculated | CVE-2025-56226 | https://github.com/libsndfile/libsndfile/issues/1089 https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: Verify inode mode when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted. According to [1], the permissions field was treated as reserved in Mac OS 8 and 9. According to [2], the reserved field was explicitly initialized with 0, and that field must remain 0 as long as reserved. Therefore, when the "mode" field is not 0 (i.e. no longer reserved), the file must be S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/ S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0. | 2026-01-13 | not yet calculated | CVE-2025-68767 | https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32 https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5 https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59 https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156 https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79 https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack. | 2026-01-13 | not yet calculated | CVE-2025-68768 | https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903 https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix return value of f2fs_recover_fsync_data() With below scripts, it will trigger panic in f2fs: mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fs_io fsync /mnt/f2fs/foo f2fs_io shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 Filesystem f2fs get_tree() didn't set fc->root, returned 1 ------------[ cut here ]------------ kernel BUG at fs/super.c:1761! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vfs_get_tree.cold+0x18/0x1a Call Trace: <TASK> fc_mount+0x13/0xa0 path_mount+0x34e/0xc50 __x64_sys_mount+0x121/0x150 do_syscall_64+0x84/0x800 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa6cc126cfe The root cause is we missed to handle error number returned from f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or ro,disable_roll_forward mount option, result in returning a positive error number to vfs_get_tree(), fix it. | 2026-01-13 | not yet calculated | CVE-2025-68769 | https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725 https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243 https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49 https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865 https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3 https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix XDP_TX path For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be looping within NAPI and some event flags may be set in earlier iterations. In particular, if BNXT_TX_EVENT is set earlier indicating some XDP_TX packets are ready and pending, it will be cleared if it is XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we successfully call __bnxt_xmit_xdp(). But if the TX ring has no more room, the flag will not be set. This will cause the TX producer to be ahead but the driver will not hit the TX doorbell. For multi-buf XDP_TX, there is no need to clear the event flags and set BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in bnxt_rx_pkt(). The visible symptom of this is that the RX ring associated with the TX XDP ring will eventually become empty and all packets will be dropped. Because this condition will cause the driver to not refill the RX ring seeing that the TX ring has forever pending XDP_TX packets. The fix is to only clear BNXT_RX_EVENT when we have successfully called __bnxt_xmit_xdp(). | 2026-01-13 | not yet calculated | CVE-2025-68770 | https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6 https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561 https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix kernel BUG in ocfs2_find_victim_chain syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. | 2026-01-13 | not yet calculated | CVE-2025-68771 | https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7 https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869 https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268 https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating compression context during writeback Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace: <TASK> f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The bug was triggered w/ below race condition: fsync setattr ioctl - f2fs_do_sync_file - file_write_and_wait_range - f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 - tag_pages_for_writeback - f2fs_setattr - truncate_setsize - f2fs_truncate - f2fs_fileattr_set - f2fs_setflags_common - set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) - f2fs_compressed_file : return true - f2fs_all_cluster_page_ready : "pgidx % cc->cluster_size" trigger dividing 0 issue Let's change as below to fix this issue: - introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages(). - use .i_sem lock to protect .writeback update. - check .writeback before update compression context in f2fs_setflags_common() to avoid race w/ ->writepages. | 2026-01-13 | not yet calculated | CVE-2025-68772 | https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4 https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0 https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0 https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. | 2026-01-13 | not yet calculated | CVE-2025-68773 | https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8 https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87 https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681 https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771 https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it. Thread A: hfsplus_write_inode() -> hfsplus_write_system_inode() -> hfs_btree_write() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) Thread B: hfsplus_create_cat() -> hfs_brec_insert() -> hfs_bnode_split() -> hfs_bmap_alloc() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) In this case, thread A creates the bnode, sets refcnt=1, and hashes it. Thread B also tries to create the same bnode, notices it has already been inserted, drops its own instance, and uses the hashed one without getting the node. ``` node2 = hfs_bnode_findhash(tree, cnid); if (!node2) { <- Thread A hash = hfs_bnode_hash(cnid); node->next_hash = tree->node_hash[hash]; tree->node_hash[hash] = node; tree->node_hash_cnt++; } else { <- Thread B spin_unlock(&tree->hash_lock); kfree(node); wait_event(node2->lock_wq, !test_bit(HFS_BNODE_NEW, &node2->flags)); return node2; } ``` However, hfs_bnode_find() requires each call to take a reference. Here both threads end up setting refcnt=1. When they later put the node, this triggers: BUG_ON(!atomic_read(&node->refcnt)) In this scenario, Thread B in fact finds the node in the hash table rather than creating a new one, and thus must take a reference. Fix this by calling hfs_bnode_get() when reusing a bnode newly created by another thread to ensure the refcount is updated correctly. A similar bug was fixed in HFS long ago in commit a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create") but the same issue remained in HFS+ until now. | 2026-01-13 | not yet calculated | CVE-2025-68774 | https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56 https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86 https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50 https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6 https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected. | 2026-01-13 | not yet calculated | CVE-2025-68775 | https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663 https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659 https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 Call Trace: <TASK> hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0449f8e1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 </TASK> Add a NULL check immediately after __pskb_copy() to handle allocation failures gracefully. | 2026-01-13 | not yet calculated | CVE-2025-68776 | https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819 https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9 https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087 https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255 https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095 https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in 'config_pins[wire_order[i]]'. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. | 2026-01-13 | not yet calculated | CVE-2025-68777 | https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178 https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570 https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96 https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1) We have directories "dir1" and "dir2" created in a past transaction. Directory "dir1" has inode A as its parent directory; 2) We move "dir1" to some other directory; 3) We create a file with the name "dir1" in directory inode A; 4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory "dir1" that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of "dir1"; 5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name(); 6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory); 7) We have a power failure; 8) Next time the fs is mounted, log replay happens and when processing the inode for directory "dir1" we find a new INODE_REF and add that link, but we don't remove the old link of the inode since we have not logged the old parent directory of the directory inode "dir1". As a result after log replay finishes when we trigger writeback of the subvolume tree's extent buffers, the tree check will detect that we have a directory a hard link count of 2 and we get a mount failure. The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [ ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-68778 | https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2 https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973 https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid unregistering PSP twice PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister This leads to a refcount underflow in some conditions: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 [...] mlx5e_psp_unregister+0x26/0x50 [mlx5_core] mlx5e_nic_cleanup+0x26/0x90 [mlx5_core] mlx5e_remove+0xe6/0x1f0 [mlx5_core] auxiliary_bus_remove+0x18/0x30 device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core] [...] Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup happens as part of profile cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68779 | https://git.kernel.org/stable/c/e12c912f92ccea671b514caf371f28485714bb4b https://git.kernel.org/stable/c/35e93736f69963337912594eb3951ab320b77521 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/deadline: only set free_cpus for online runqueues Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus to reflect rd->online") introduced the cpudl_set/clear_freecpu functions to allow the cpu_dl::free_cpus mask to be manipulated by the deadline scheduler class rq_on/offline callbacks so the mask would also reflect this state. Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask from cpudl_find()") removed the check of the cpu_active_mask to save some processing on the premise that the cpudl::free_cpus mask already reflected the runqueue online state. Unfortunately, there are cases where it is possible for the cpudl_clear function to set the free_cpus bit for a CPU when the deadline runqueue is offline. When this occurs while a CPU is connected to the default root domain the flag may retain the bad state after the CPU has been unplugged. Later, a different CPU that is transitioning through the default root domain may push a deadline task to the powered down CPU when cpudl_find sees its free_cpus bit is set. If this happens the task will not have the opportunity to run. One example is outlined here: https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com Another occurs when the last deadline task is migrated from a CPU that has an offlined runqueue. The dequeue_task member of the deadline scheduler class will eventually call cpudl_clear and set the free_cpus bit for the CPU. This commit modifies the cpudl_clear function to be aware of the online state of the deadline runqueue so that the free_cpus mask can be updated appropriately. It is no longer necessary to manage the mask outside of the cpudl_set/clear functions so the cpudl_set/clear_freecpu functions are removed. In addition, since the free_cpus mask is now only updated under the cpudl lock the code was changed to use the non-atomic __cpumask functions. | 2026-01-13 | not yet calculated | CVE-2025-68780 | https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317 https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49 https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8 https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condition occurs when the device is removed via fsl_otg_remove(): the fsl_otg instance may be freed while the delayed work is still pending or executing. This leads to use-after-free when the work function fsl_otg_event() accesses the already freed memory. The problematic scenario: (detach thread) | (delayed work) fsl_otg_remove() | kfree(fsl_otg_dev) //FREE| fsl_otg_event() | og = container_of(...) //USE | og-> //USE Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() before deallocating the fsl_otg structure. This ensures the delayed work is properly canceled and completes execution prior to memory deallocation. This bug was identified through static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68781 | https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317 https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222 https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23 https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68782 | https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96 https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128 https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3 https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a negative or out-of-range channel number, the driver may write past the end of these arrays. Introduce a local channel variable and validate it before updating the arrays. We reject negative indices, limit meter_level[] and comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[] updates with ARRAY_SIZE(master_level). | 2026-01-13 | not yet calculated | CVE-2025-68783 | https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550 https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053 https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9 https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3 https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix a UAF problem in xattr repair The xchk_setup_xattr_buf function can allocate a new value buffer, which means that any reference to ab->value before the call could become a dangling pointer. Fix this by moving an assignment to after the buffer setup. | 2026-01-13 | not yet calculated | CVE-2025-68784 | https://git.kernel.org/stable/c/1e2d3aa19c7962b9474b22893160cb460494c45f https://git.kernel.org/stable/c/d29ed9ff972afe17c215cab171761d7a15d7063f https://git.kernel.org/stable/c/5990fd756943836978ad184aac980e2b36ab7e01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don't even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls - first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn't safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Let's add some checks that the attribute is properly sized and it's the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're pushing an NSH header already, it just creates extra nesting, but that's how uAPI works today. So, keeping as it is. | 2026-01-13 | not yet calculated | CVE-2025-68785 | https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294 https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702 https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9 https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: skip lock-range check on equal size to avoid size==0 underflow When size equals the current i_size (including 0), the code used to call check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1` and can underflow for size==0. Skip the equal case. | 2026-01-13 | not yet calculated | CVE-2025-68786 | https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295 https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33 https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8 https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(.... backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-01-13 | not yet calculated | CVE-2025-68787 | https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3 https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1 https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977 https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf | 2026-01-13 | not yet calculated | CVE-2025-68788 | https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8 https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91 https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81 https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900 https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6 https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) fix use-after-free in high/low store The ibmpex_high_low_store() function retrieves driver data using dev_get_drvdata() and uses it without validation. This creates a race condition where the sysfs callback can be invoked after the data structure is freed, leading to use-after-free. Fix by adding a NULL check after dev_get_drvdata(), and reordering operations in the deletion path to prevent TOCTOU. | 2026-01-13 | not yet calculated | CVE-2025-68789 | https://git.kernel.org/stable/c/3ce9b7ae9d4d148672b35147aaf7987a4f82bb94 https://git.kernel.org/stable/c/533ead425f8109b02fecc7e72d612b8898ec347a https://git.kernel.org/stable/c/fa37adcf1d564ef58b9dfb01b6c36d35c5294bad https://git.kernel.org/stable/c/68d62e5bebbd118b763e8bb210d5cf2198ef450c https://git.kernel.org/stable/c/5aa2139201667c1f644601e4529c4acd6bf8db5a https://git.kernel.org/stable/c/6946c726c3f4c36f0f049e6f97e88c510b15f65d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device's private data after unregistering it in LAG teardown. Otherwise a slightly lagging second pass through mlx5_unload_one() might try to unregister it again and trip over use-after-free. On s390 almost all PCI level recovery events trigger two passes through mxl5_unload_one() - one through the poll_health() method and one through mlx5_pci_err_detected() as callback from generic PCI error recovery. While testing PCI error recovery paths with more kernel debug features enabled, this issue reproducibly led to kernel panics with the following call chain: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI Fault in home space mode while using kernel ASCE. AS:00000000705c4007 R3:0000000000000024 Oops: 0038 ilc:3 [#1]SMP CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000 0000000000000000 0000000000000000 0000000000000001 0000000000000000 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8 Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4 *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820 >0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2) 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec 0000020fc86aa1f2: a7eb00e8 aghi %r14,232 Call Trace: __lock_acquire+0x5c/0x15f0 lock_acquire.part.0+0xf8/0x270 lock_acquire+0xb0/0x1b0 down_write+0x5a/0x250 mlx5_detach_device+0x42/0x110 [mlx5_core] mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core] mlx5_unload_one+0x42/0x60 [mlx5_core] mlx5_pci_err_detected+0x94/0x150 [mlx5_core] zpci_event_attempt_error_recovery+0xcc/0x388 | 2026-01-13 | not yet calculated | CVE-2025-68790 | https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4 https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: missing copy_finish in fuse-over-io-uring argument copies Fix a possible reference count leak of payload pages during fuse argument copies. [Joanne: simplified error cleanup] | 2026-01-13 | not yet calculated | CVE-2025-68791 | https://git.kernel.org/stable/c/b79938863f436960eff209130f025c4bd3026bf8 https://git.kernel.org/stable/c/6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted. | 2026-01-13 | not yet calculated | CVE-2025-68792 | https://git.kernel.org/stable/c/47e676ce4d68f461dfcab906f6aeb254f7276deb https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43 https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drm_sched_stop() and later drm_sched_start(). drm_sched_start() restarts the tdr queue which will eventually free the job. If the tdr queue frees the job before time out callback completes, the job will be freed and we'll get a UAF when accessing the pasid. Cache it early to avoid the UAF. Example KASAN trace: [ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323 [ 493.074892] [ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary) [ 493.076493] Tainted: [E]=UNSIGNED_MODULE [ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019 [ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched] [ 493.076512] Call Trace: [ 493.076515] <TASK> [ 493.076518] dump_stack_lvl+0x64/0x80 [ 493.076529] print_report+0xce/0x630 [ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0 [ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077253] kasan_report+0xb8/0xf0 [ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu] [ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu] [ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu] [ 493.080903] ? pick_task_fair+0x24e/0x330 [ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu] [ 493.081702] ? _raw_spin_lock+0x75/0xc0 [ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10 [ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched] [ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081725] process_one_work+0x679/0xff0 [ 493.081732] worker_thread+0x6ce/0xfd0 [ 493.081736] ? __pfx_worker_thread+0x10/0x10 [ 493.081739] kthread+0x376/0x730 [ 493.081744] ? __pfx_kthread+0x10/0x10 [ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081751] ? __pfx_kthread+0x10/0x10 [ 493.081755] ret_from_fork+0x247/0x330 [ 493.081761] ? __pfx_kthread+0x10/0x10 [ 493.081764] ret_from_fork_asm+0x1a/0x30 [ 493.081771] </TASK> (cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d) | 2026-01-13 | not yet calculated | CVE-2025-68793 | https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0 https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and returns a position beyond the folio. Fix the calculation to also take into account the block offset when calculating how many bytes can be skipped for uptodate blocks. | 2026-01-13 | not yet calculated | CVE-2025-68794 | https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5 https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899 https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stable stat counts, but some drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making this scenario possible. Some drivers try to handle this internally: - bnad_get_ethtool_stats() returns early in case stats.n_stats is not equal to the driver's stats count. - micrel/ksz884x also makes sure not to write anything beyond stats.n_stats and overflow the buffer. However, both use stats.n_stats which is already assigned with the value returned from get_sset_count(), hence won't solve the issue described here. Change ethtool_get_strings(), ethtool_get_stats(), ethtool_get_phy_stats() to not return anything in case of a mismatch between userspace's size and get_sset_size(), to prevent buffer overflow. The returned n_stats value will be equal to zero, to reflect that nothing has been returned. This could result in one of two cases when using upstream ethtool, depending on when the size change is detected: 1. When detected in ethtool_get_strings(): # ethtool -S eth2 no stats available 2. When detected in get stats, all stats will be reported as zero. Both cases are presumably transient, and a subsequent ethtool call should succeed. Other than the overflow avoidance, these two cases are very evident (no output/cleared stats), which is arguably better than presenting incorrect/shifted stats. I also considered returning an error instead of a "silent" response, but that seems more destructive towards userspace apps. Notes: - This patch does not claim to fix the inherent race, it only makes sure that we do not overflow the userspace buffer, and makes for a more predictable behavior. - RTNL lock is held during each ioctl, the race window exists between the separate ioctl calls when the lock is released. - Userspace ethtool always fills stats.n_stats, but it is likely that these stats ioctls are implemented in other userspace applications which might not fill it. The added code checks that it's not zero, to prevent any regressions. | 2026-01-13 | not yet calculated | CVE-2025-68795 | https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5 https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71 https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326 https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416 https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093 https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678 Call Trace: <TASK> f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085 f2fs_do_zero_range fs/f2fs/file.c:1657 [inline] f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737 f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030 vfs_fallocate+0x669/0x7e0 fs/open.c:342 ioctl_preallocate fs/ioctl.c:289 [inline] file_ioctl+0x611/0x780 fs/ioctl.c:-1 do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576 __do_sys_ioctl fs/ioctl.c:595 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f07bc58eec9 In error path of f2fs_zero_range(), it may add a zero-sized extent into extent cache, it should be avoided. | 2026-01-13 | not yet calculated | CVE-2025-68796 | https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548 https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188 https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88 https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646 https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589 https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer dereference. Fix this by skipping the readb access when cmd is 6, as this command is a global information query and does not target a specific board context. | 2026-01-13 | not yet calculated | CVE-2025-68797 | https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084 https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478 https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54 https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23 https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ> | 2026-01-13 | not yet calculated | CVE-2025-68798 | https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621 https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573 https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory. Fix this by validating that len >= 2 before performing the subtraction. | 2026-01-13 | not yet calculated | CVE-2025-68799 | https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691 https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7 https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3 https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043 CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum] Call Trace: <TASK> dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 | 2026-01-13 | not yet calculated | CVE-2025-68800 | https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88 https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0 https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid taking a referencing when the neighbour is used by a nexthop as the neighbour entry associated with the nexthop already holds a reference. Tested by running the test that uncovered the problem over 300 times. Without this patch the problem was reproduced after a handful of iterations. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310 Read of size 8 at addr ffff88817f8e3420 by task ip/3929 CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full) Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6e/0x300 print_report+0xfc/0x1fb kasan_report+0xe4/0x110 mlxsw_sp_neigh_entry_update+0x2d4/0x310 mlxsw_sp_router_rif_gone_sync+0x35f/0x510 mlxsw_sp_rif_destroy+0x1ea/0x730 mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0 __mlxsw_sp_inetaddr_lag_event+0xcc/0x130 __mlxsw_sp_inetaddr_event+0xf5/0x3c0 mlxsw_sp_router_netdevice_event+0x1015/0x1580 notifier_call_chain+0xcc/0x150 call_netdevice_notifiers_info+0x7e/0x100 __netdev_upper_dev_unlink+0x10b/0x210 netdev_upper_dev_unlink+0x79/0xa0 vrf_del_slave+0x18/0x50 do_set_master+0x146/0x7d0 do_setlink.isra.0+0x9a0/0x2880 rtnl_newlink+0x637/0xb20 rtnetlink_rcv_msg+0x6fe/0xb90 netlink_rcv_skb+0x123/0x380 netlink_unicast+0x4a3/0x770 netlink_sendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 __sys_sendmsg+0x124/0x1c0 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [...] Allocated by task 109: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x2c1/0x790 neigh_alloc+0x6af/0x8f0 ___neigh_create+0x63/0xe90 mlxsw_sp_nexthop_neigh_init+0x430/0x7e0 mlxsw_sp_nexthop_type_init+0x212/0x960 mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280 mlxsw_sp_nexthop6_group_get+0x392/0x6a0 mlxsw_sp_fib6_entry_create+0x46a/0xfd0 mlxsw_sp_router_fib6_replace+0x1ed/0x5f0 mlxsw_sp_router_fib6_event_work+0x10a/0x2a0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Freed by task 154: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free_bulk.part.0+0x1eb/0x5e0 kvfree_rcu_bulk+0x1f2/0x260 kfree_rcu_work+0x130/0x1b0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Last potentially related work creation: kasan_save_stack+0x30/0x50 kasan_record_aux_stack+0x8c/0xa0 kvfree_call_rcu+0x93/0x5b0 mlxsw_sp_router_neigh_event_work+0x67d/0x860 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 | 2026-01-13 | not yet calculated | CVE-2025-68801 | https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0 https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2 https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08 https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254 https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... " v2: Add "Reported-by" and Cc stable kernels. v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh) v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt) v5: Do the check at the top of the exec func. (Matt) (cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c) | 2026-01-13 | not yet calculated | CVE-2025-68802 | https://git.kernel.org/stable/c/e281d1fd6903a081ef023c341145ae92258e38d2 https://git.kernel.org/stable/c/1d200017f55f829b9e376093bd31dfbec92081de https://git.kernel.org/stable/c/8e461304009135270e9ccf2d7e2dfe29daec9b60 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL. | 2026-01-13 | not yet calculated | CVE-2025-68803 | https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725 https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1 https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862 https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3 https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192 https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. | 2026-01-13 | not yet calculated | CVE-2025-68804 | https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020 https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95 https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437 https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue's list for terminated non-committed requests. | 2026-01-13 | not yet calculated | CVE-2025-68805 | https://git.kernel.org/stable/c/a6d1f1ace16d0e777a85f84267160052d3499b6e https://git.kernel.org/stable/c/95c39eef7c2b666026c69ab5b30471da94ea2874 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately reflects the total required buffer size. | 2026-01-13 | not yet calculated | CVE-2025-68806 | https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750 https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925 https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6 https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4 https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state. The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as: rq_wait[0]: inflight: -1 has_waiters: True rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative. And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ... Fix this by: 1. Splitting wbt_enable_default() into: - __wbt_enable_default(): Returns true if wbt_init() should be called - wbt_enable_default(): Wrapper for existing callers (no init) - wbt_init_enable_default(): New function that checks and inits WBT 2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration 3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided. 4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative. | 2026-01-13 | not yet calculated | CVE-2025-68807 | https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership. | 2026-01-13 | not yet calculated | CVE-2025-68808 | https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108 https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323 https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032 https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close() used to read and modify m_flags without ci->m_lock. This creates a potential data race on m_flags when multiple threads open, close and delete the same file concurrently. In the worst case delete-on-close and pending-delete bits can be lost or observed in an inconsistent state, leading to confusing delete semantics (files that stay on disk after delete-on-close, or files that disappear while still in use). Fix it by: - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock after dropping inode_hash_lock. - Adding ci->m_lock protection to all helpers that read or modify m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()). - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(), and moving the actual unlink/xattr removal outside the lock. This unifies the locking around m_flags and removes the data race while preserving the existing delete-on-close behaviour. | 2026-01-13 | not yet calculated | CVE-2025-68809 | https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93 https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag. Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom. ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745 CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 </TASK> Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2026-01-13 | not yet calculated | CVE-2025-68810 | https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386 https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127 https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com) | 2026-01-13 | not yet calculated | CVE-2025-68811 | https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6 https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add sanity check for stop streaming Add sanity check in iris_vb2_stop_streaming. If inst->state is already IRIS_INST_ERROR, we should skip the stream_off operation because it would still send packets to the firmware. In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. [bod: remove qcom from patch title] | 2026-01-13 | not yet calculated | CVE-2025-68812 | https://git.kernel.org/stable/c/f8b136296722e258ec43237a35f72c92a6d4501a https://git.kernel.org/stable/c/ad699fa78b59241c9d71a8cafb51525f3dab04d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764 | 2026-01-13 | not yet calculated | CVE-2025-68813 | https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903 https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447 https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8 https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90 https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68814 | https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458 https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746 https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4 https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45 https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663 | 2026-01-13 | not yet calculated | CVE-2025-68815 | https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2 https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87 https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34 https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix. | 2026-01-13 | not yet calculated | CVE-2025-68816 | https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0 https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3 https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7 https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0 https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. | 2026-01-13 | not yet calculated | CVE-2025-68817 | https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4 https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21 https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it. | 2026-01-13 | not yet calculated | CVE-2025-68818 | https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003 https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1 https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. | 2026-01-13 | not yet calculated | CVE-2025-68819 | https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750 https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1 https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658 https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68820 | https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6 https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3 https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2 https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142 https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()). | 2026-01-13 | not yet calculated | CVE-2025-68821 | https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411 https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in psmouse_disconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flush_workqueue() has finished executing, the dev3_register_work could still be scheduled. Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), the scheduling of dev3_register_work remains unaffected. The race condition can occur as follows: CPU 0 (cleanup path) | CPU 1 (delayed work) psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USE Add disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated. This bug is identified by static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68822 | https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7 https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2 https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ublk block device, the work may be deferred to current task's task work (see fput() implementation) 5. This eventually calls blkdev_release() from the same context 6. blkdev_release() tries to grab disk->open_mutex again 7. Deadlock: same task waiting for a mutex it already holds The fix is to run blk_update_request() and blk_mq_end_request() with bottom halves disabled. This forces blkdev_release() to run in kernel work-queue context instead of current task work context, and allows ublk server to make forward progress, and avoids the deadlock. [axboe: rewrite comment in ublk] | 2026-01-13 | not yet calculated | CVE-2025-68823 | https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7 https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps, ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent and that all elements are properly initialized. | 2026-01-13 | not yet calculated | CVE-2025-71064 | https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6 https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489 https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281 https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510 https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954 https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7 https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline] #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389 #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline] #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197 #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890 stack backtrace: CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537 f2fs_down_read fs/f2fs/f2fs.h:2278 [inline] f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline] f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791 f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867 f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925 f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897 evict+0x504/0x9c0 fs/inode.c:810 f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853 evict+0x504/0x9c0 fs/inode.c:810 dispose_list fs/inode.c:852 [inline] prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000 super_cache_scan+0x39b/0x4b0 fs/super.c:224 do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628 shrink_one+0x28a/0x7c0 mm/vmscan.c:4955 shrink_many mm/vmscan.c:5016 [inline] lru_gen_shrink_node mm/vmscan.c:5094 [inline] shrink_node+0x315d/0x3780 mm/vmscan.c:6081 kswapd_shrink_node mm/vmscan.c:6941 [inline] balance_pgdat mm/vmscan.c:7124 [inline] kswapd+0x147c/0x2800 mm/vmscan.c:7389 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The root cause is deadlock among four locks as below: kswapd - fs_reclaim --- Lock A - shrink_one - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - iput - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - f2fs_truncate - f2fs_truncate_blocks - f2fs_do_truncate_blocks - f2fs_lock_op --- Lock C ioctl - f2fs_ioc_commit_atomic_write - f2fs_lock_op --- Lock C - __f2fs_commit_atomic_write - __replace_atomic_write_block - f2fs_get_dnode_of_data - __get_node_folio - f2fs_check_nid_range - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D open - do_open - do_truncate - security_inode_need_killpriv - f2fs_getxattr - lookup_all_xattrs - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D - f2fs_commit_super - read_mapping_folio - filemap_alloc_folio_noprof - prepare_alloc_pages - fs_reclaim_acquire --- Lock A In order to a ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71065 | https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307 https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91 https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55 https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack) { ... // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we're reducing the refcount for our class's qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0; } Comment: This happens because some of the classes have their qdiscs assigned to NULL, but remain in the active list. This commit fixes this issue by always removing the class from the active list before deleting and freeing its associated qdisc Reproducer Steps (trimmed version of what was sent by zdi-disclosures@trendmicro.com) ``` DEV="${DEV:-lo}" ROOT_HANDLE="${ROOT_HANDLE:-1:}" BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2 PING_BYTES="${PING_BYTES:-48}" PING_COUNT="${PING_COUNT:-200000}" PING_DST="${PING_DST:-127.0.0.1}" SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}" SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}" SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}" cleanup() { tc qdisc del dev "$DEV" root 2>/dev/null } trap cleanup EXIT ip link set "$DEV" up tc qdisc del dev "$DEV" root 2>/dev/null || true tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT" tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 tc -s qdisc ls dev $DEV ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ >/dev/null 2>&1 & tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0 tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc -s qdisc ls dev $DEV tc qdisc del dev "$DEV" parent ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71066 | https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3 https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9 https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0 https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39 https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0) Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero. Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug. [almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling] | 2026-01-13 | not yet calculated | CVE-2025-71067 | https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43 https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417 https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page. | 2026-01-13 | not yet calculated | CVE-2025-71068 | https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9 https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417 https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings. In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode. This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink(). Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fs_add_link(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call d_move() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented) 2. Second rename: file3 → file1 - VFS uses stale cache: file1 → inode 7 - Tries to drop_nlink on inode 7 (i_nlink already 0) - WARNING in drop_nlink() Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds. Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink() | 2026-01-13 | not yet calculated | CVE-2025-71069 | https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83 https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168 https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6 https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37 https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0. | 2026-01-13 | not yet calculated | CVE-2025-71070 | https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6 https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. | 2026-01-13 | not yet calculated | CVE-2025-71071 | https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5 https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7 https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171 https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange(). Moreover, shmem_whiteout() expects that if it succeeds, the caller will progress to d_move(), i.e. that shmem_rename2() won't fail past the successful call of shmem_whiteout(). Not hard to fix, fortunately - mtree_store() can't fail if the index we are trying to store into is already present in the tree as a singleton. For simple_offset_rename_exchange() that's enough - we just need to be careful about the order of operations. For simple_offset_rename() solution is to preinsert the target into the tree for new_dir; the rest can be done without any potentially failing operations. That preinsertion has to be done in shmem_rename2() rather than in simple_offset_rename() itself - otherwise we'd need to deal with the possibility of failure after successful shmem_whiteout(). | 2026-01-13 | not yet calculated | CVE-2025-71072 | https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113 https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open(). | 2026-01-13 | not yet calculated | CVE-2025-71073 | https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342 https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104 https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write(). The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. atomic_add_return() is not a good idea, when object remains visible all along. To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed, along with checking that state is FFS_ACTIVE. | 2026-01-13 | not yet calculated | CVE-2025-71074 | https://git.kernel.org/stable/c/b49c766856fb5901490de577e046149ebf15e39d https://git.kernel.org/stable/c/e5bf5ee266633cb18fff6f98f0b7d59a62819eee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. | 2026-01-13 | not yet calculated | CVE-2025-71075 | https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8 https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3 https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning -EINVAL when the limit is violated. v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh) (cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b) | 2026-01-13 | not yet calculated | CVE-2025-71076 | https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. | 2026-01-13 | not yet calculated | CVE-2025-71077 | https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06 https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950 https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96 https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23 https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1 https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50 https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction - typically after every 256 context switches - to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71078 | https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57 https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2 https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37 https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8 https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device. | 2026-01-13 | not yet calculated | CVE-2025-71079 | https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3 https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083 https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted. Another task running on the same CPU may then execute rt6_make_pcpu_route() and successfully install a pcpu_rt entry. When the first task resumes execution, its cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding mdelay() after rt6_get_pcpu_route(). Using preempt_disable/enable is not appropriate here because ip6_rt_pcpu_alloc() may sleep. Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: free our allocation and return the existing pcpu_rt installed by another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such races should not occur. | 2026-01-13 | not yet calculated | CVE-2025-71080 | https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66 https://git.kernel.org/stable/c/787515ccb2292f82eb0876993129154629a49651 https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. | 2026-01-13 | not yet calculated | CVE-2025-71081 | https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1 https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394 https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0 https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3 https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26 https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), where calling usb_driver_release_interface(&btusb_driver, data->intf) will have devm free the data that is also being used by the other interfaces of the driver that may not be released yet. To fix this, revert the use of devm and go back to freeing memory explicitly. | 2026-01-13 | not yet calculated | CVE-2025-71082 | https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1 https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339 https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003 https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. | 2026-01-13 | not yet calculated | CVE-2025-71083 | https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756 https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79 https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0 https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1 https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice. | 2026-01-13 | not yet calculated | CVE-2025-71084 | https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196 https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162 https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); | 2026-01-13 | not yet calculated | CVE-2025-71085 | https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2 https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910 https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1 https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0 https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24 https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570 https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. | 2026-01-13 | not yet calculated | CVE-2025-71086 | https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042 https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451 https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981 https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280 https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38 https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | 2026-01-13 | not yet calculated | CVE-2025-71087 | https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194 https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982 https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232 https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752 https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66 https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage - that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that's not already there. | 2026-01-13 | not yet calculated | CVE-2025-71088 | https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516 https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1 https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86 https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. | 2026-01-13 | not yet calculated | CVE-2025-71089 | https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9 https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661 https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg() nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if the client already has a SHARE_ACCESS_READ open from a previous OPEN operation, this action overwrites the existing pointer without releasing its reference, orphaning the previous reference. Additionally, the function originally stored the same nfsd_file pointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with only a single reference. When put_deleg_file() runs, it clears fi_rdeleg_file and calls nfs4_file_put_access() to release the file. However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when the fi_access[O_RDONLY] counter drops to zero. If another READ open exists on the file, the counter remains elevated and the nfsd_file reference from the delegation is never released. This potentially causes open conflicts on that file. Then, on server shutdown, these leaks cause __nfsd_file_cache_purge() to encounter files with an elevated reference count that cannot be cleaned up, ultimately triggering a BUG() in kmem_cache_destroy() because there are still nfsd_file objects allocated in that cache. | 2026-01-13 | not yet calculated | CVE-2025-71090 | https://git.kernel.org/stable/c/c07dc84ed67c5a182273171639bacbbb87c12175 https://git.kernel.org/stable/c/8072e34e1387d03102b788677d491e2bcceef6f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The problem is in this flow: 1) Port is enabled, queue_id != 0, in qom_list 2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list) 3) Port is disabled, queue_id != 0, not in any list 4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del - hits the BUG as it is removed already To fix this, change the check in team_queue_override_port_prio_changed() so it returns early if port is not enabled. | 2026-01-13 | not yet calculated | CVE-2025-71091 | https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3 https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97 https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39 https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3 https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952 https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758 https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices. As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats(). The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices. Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set. | 2026-01-13 | not yet calculated | CVE-2025-71092 | https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ================================================================== BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363 CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 </IRQ> <TASK> __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected ================================================================== This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first: u8 last_byte = *(data + length - 1); Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rx_buffer_len. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer. | 2026-01-13 | not yet calculated | CVE-2025-71093 | https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80 https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892 https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8 https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578 https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. | 2026-01-13 | not yet calculated | CVE-2025-71094 | https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146 https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2 https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3 https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. | 2026-01-13 | not yet calculated | CVE-2025-71095 | https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821 https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897 https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 | 2026-01-13 | not yet calculated | CVE-2025-71096 | https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831 https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94 https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. | 2026-01-13 | not yet calculated | CVE-2025-71097 | https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536 https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43 https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 | 2026-01-13 | not yet calculated | CVE-2025-71098 | https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2 https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8 https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60 https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92 https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31) | 2026-01-13 | not yet calculated | CVE-2025-71099 | https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2 https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]' | 2026-01-13 | not yet calculated | CVE-2025-71100 | https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6 https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66 https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index. | 2026-01-13 | not yet calculated | CVE-2025-71101 | https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680 https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead 1. **Inaccurate stack usage reporting**: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg. 2. **Potential kernel crash**: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses). However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled. | 2026-01-14 | not yet calculated | CVE-2025-71102 | https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3 https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284 https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... pc : a6xx_hw_init+0x155c/0x1e4c [msm] lr : a6xx_hw_init+0x9a8/0x1e4c [msm] ... Call trace: a6xx_hw_init+0x155c/0x1e4c [msm] (P) msm_gpu_hw_init+0x58/0x88 [msm] adreno_load_gpu+0x94/0x1fc [msm] msm_open+0xe4/0xf4 [msm] drm_file_alloc+0x1a0/0x2e4 [drm] drm_client_init+0x7c/0x104 [drm] drm_fbdev_client_setup+0x94/0xcf0 [drm_client_lib] drm_client_setup+0xb4/0xd8 [drm_client_lib] msm_drm_kms_post_init+0x2c/0x3c [msm] msm_drm_init+0x1a4/0x228 [msm] msm_drm_bind+0x30/0x3c [msm] ... Check the validity of ifpc_reglist before deferencing the table to setup the register values. Patchwork: https://patchwork.freedesktop.org/patch/688944/ | 2026-01-14 | not yet calculated | CVE-2025-71103 | https://git.kernel.org/stable/c/19648135e904bce447d368ecb6136e5da809639c https://git.kernel.org/stable/c/129049d4fe22c998ae9fd1ec479fbb4ed5338c15 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer's maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM's request for an expiration in the past and immediately re-invokes KVM's callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer over and over until the target expiration is advanced to "now" can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda ("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in ---truncated--- | 2026-01-14 | not yet calculated | CVE-2025-71104 | https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9 https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73 https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9 https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379 https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2 https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace: __kmem_cache_create include/linux/slab.h:353 [inline] f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline] f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843 f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918 get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692 vfs_get_tree+0x43/0x140 fs/super.c:1815 do_new_mount+0x201/0x550 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: - mount /dev/vdb /mnt1 - mount /dev/vdc /mnt2 - umount /mnt1 - mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, slab system will find that there is existed cache which has the same name and trigger the warning. Let's changes to use global inline_xattr_slab instead of per-sb slab cache for fixing. | 2026-01-14 | not yet calculated | CVE-2025-71105 | https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5 https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100 https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4 https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5 https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 ("power: always freeze efivarfs") is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled is false. On my systems it causes the WARN_ON_ONCE() in __set_task_frozen() to trigger, most likely due to an attempt to freeze a file system that is not ready for that. Add a logical negation to the check in question to reverse it as appropriate. | 2026-01-14 | not yet calculated | CVE-2025-71106 | https://git.kernel.org/stable/c/b107196729ff6b9d6cde0a71f49c1243def43328 https://git.kernel.org/stable/c/222047f68e8565c558728f792f6fef152a1d4d51 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem. | 2026-01-14 | not yet calculated | CVE-2025-71107 | https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025 https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511 https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed, but seemed worth addressing in case it hit platforms that aren't officially Linux supported. | 2026-01-14 | not yet calculated | CVE-2025-71108 | https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432 https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6 https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93 https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943 https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA) causes a buffer overflow when _mcount is beyond 32 bits. This leads to corruption of the variables located in the __read_mostly section. This corruption was observed because the variable __cpu_primary_thread_mask was corrupted, causing a hang very early during boot. This fix prevents the corruption by avoiding the generation of instructions if they could exceed 2 instructions in length. Fortunately, insn_la_mcount is only used if the instrumented code is located outside the kernel code section, so dynamic ftrace can still be used, albeit in a more limited scope. This is still preferable to corrupting memory and/or crashing the kernel. | 2026-01-14 | not yet calculated | CVE-2025-71109 | https://git.kernel.org/stable/c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d https://git.kernel.org/stable/c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150 https://git.kernel.org/stable/c/36dac9a3dda1f2bae343191bc16b910c603cac25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes. | 2026-01-14 | not yet calculated | CVE-2025-71110 | https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. | 2026-01-14 | not yet calculated | CVE-2025-71111 | https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18 https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680 https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID. | 2026-01-14 | not yet calculated | CVE-2025-71112 | https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8 https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1 https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6 https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046 https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128 https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. | 2026-01-14 | not yet calculated | CVE-2025-71113 | https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0 https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550 https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010 https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726 https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as "<BAD>" under /proc/iomem on x86 platforms. During boot, this unnamed resource can lead to a critical hang because subsequent resource lookups and conflict checks fail to handle the invalid entry properly. | 2026-01-14 | not yet calculated | CVE-2025-71114 | https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324 https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78 https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856 https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57 https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we'll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL. Simply initialize the cpu_tasks[] array statically, which fixes the crash. For the later SMP work, it seems to have not really caused any problems yet, but initialize all of the entries anyway. | 2026-01-14 | not yet calculated | CVE-2025-71115 | https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44 https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped. | 2026-01-14 | not yet calculated | CVE-2025-71116 | https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2 https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258 https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1 https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957 https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125 https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. Add the __data_racy annotation to request_queue.rq_timeout to suppress KCSAN data race reports about the rq_timeout reads. This patch may cause a small delay in applying the new settings. For all the attributes affected by this patch, I/O will complete correctly whether the old or the new value of the attribute is used. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002 if this patch is not applied: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> | 2026-01-14 | not yet calculated | CVE-2025-71117 | https://git.kernel.org/stable/c/3997b3147c7b68b0308378fa95a766015f8ceb1c https://git.kernel.org/stable/c/935a20d1bebf6236076785fac3ff81e3931834e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1]. That happens due to the access to the member of parent_node in acpi_ns_get_next_node(). The NULL pointer dereference will always happen, no matter whether or not the start_node is equal to ACPI_ROOT_OBJECT, so move the check of start_node being NULL out of the if block. Unfortunately, all the attempts to contact Honor have failed, they refused to provide any technical support for Linux. The bad DSDT table's dump could be found on GitHub [2]. DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025 [ rjw: Subject adjustment, changelog edits ] | 2026-01-14 | not yet calculated | CVE-2025-71118 | https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3 https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36 https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc [snip] NIP kexec_prepare_cpus+0x1b0/0x1bc LR kexec_prepare_cpus+0x1a0/0x1bc Call Trace: kexec_prepare_cpus+0x1a0/0x1bc (unreliable) default_machine_kexec+0x160/0x19c machine_kexec+0x80/0x88 kernel_kexec+0xd0/0x118 __do_sys_reboot+0x210/0x2c4 system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec This occurs as add_cpu() fails due to cpu_bootable() returning false for CPUs that fail the cpu_smt_thread_allowed() check or non primary threads if SMT is disabled. Fix the issue by enabling SMT and resetting the number of SMT threads to the number of threads per core, before attempting to wake up all present CPUs. | 2026-01-14 | not yet calculated | CVE-2025-71119 | https://git.kernel.org/stable/c/7cccd82a0e4aad192fd74fc60e61ed9aed5857a3 https://git.kernel.org/stable/c/d790ef0c4819424ee0c2f448c0a8154c5ca369d1 https://git.kernel.org/stable/c/f0c0a681ffb77b8c5290c88c02d968199663939b https://git.kernel.org/stable/c/0d5c9e901ad40bd39b38e119c0454b52d7663930 https://git.kernel.org/stable/c/c2296a1e42418556efbeb5636c4fa6aa6106713a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. | 2026-01-14 | not yet calculated | CVE-2025-71120 | https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810 https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19 https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8 https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. When trying to reprogram the affinity it will crash with a HPMC as the relevant registers don't seem to be at the usual location. Let's avoid the crash by checking the sversion. Also note, that reprogramming isn't necessary either, as the HP730 is a just a single-CPU machine. | 2026-01-14 | not yet calculated | CVE-2025-71121 | https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006 https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641 https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the test ioctl. | 2026-01-14 | not yet calculated | CVE-2025-71122 | https://git.kernel.org/stable/c/4cc829d61f10c20523fd4085c1546e741a792a97 https://git.kernel.org/stable/c/e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925 https://git.kernel.org/stable/c/b166b8e0a381429fefd9180e67fbc834b3cee82f https://git.kernel.org/stable/c/e6a973af11135439de32ece3b9cbe3bfc043bea8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-01-14 | not yet calculated | CVE-2025-71123 | https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820 https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0 https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL, dereferencing it in preempt_prepare_postamble() would lead to a crash. This change avoids calling the preparation function when the postamble allocation has failed, preventing potential NULL pointer dereference and ensuring proper error handling. Patchwork: https://patchwork.freedesktop.org/patch/687659/ | 2026-01-14 | not yet calculated | CVE-2025-71124 | https://git.kernel.org/stable/c/2c46497eb148ec61909f4101b8443f3c4c2daaec https://git.kernel.org/stable/c/ef3b04091fd8bc737dc45312375df8625b8318e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events. This leads to calling the tracepoint register functions with a NULL function pointer which triggers: ------------[ cut here ]------------ WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:tracepoint_add_func+0x357/0x370 Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8 RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780 R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78 FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0 Call Trace: <TASK> tracepoint_probe_register+0x5d/0x90 synth_event_reg+0x3c/0x60 perf_trace_event_init+0x204/0x340 perf_trace_init+0x85/0xd0 perf_tp_event_init+0x2e/0x50 perf_try_init_event+0x6f/0x230 ? perf_event_alloc+0x4bb/0xdc0 perf_event_alloc+0x65a/0xdc0 __se_sys_perf_event_open+0x290/0x9f0 do_syscall_64+0x93/0x7b0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? trace_hardirqs_off+0x53/0xc0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Instead, have the code return -ENODEV, which doesn't warn and has perf error out with: # perf record -e synthetic:futex_wait Error: The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait). "dmesg | grep -i perf" may provide additional information. Ideally perf should support synthetic events, but for now just fix the warning. The support can come later. | 2026-01-14 | not yet calculated | CVE-2025-71125 | https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6 https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69 https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7 https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback. Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock. | 2026-01-14 | not yet calculated | CVE-2025-71126 | https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79 https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41 https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted attack to get one of the associated STAs to do something (e.g., using CSA to move it to another channel). As such, it is better have strict filtering for this on the received side and discard all Beacon frames that are sent to an unexpected address. This is even more important for cases where beacon protection is used. The current implementation in mac80211 is correctly discarding unicast Beacon frames if the Protected Frame bit in the Frame Control field is set to 0. However, if that bit is set to 1, the logic used for checking for configured BIGTK(s) does not actually work. If the driver does not have logic for dropping unicast Beacon frames with Protected Frame bit 1, these frames would be accepted in mac80211 processing as valid Beacon frames even though they are not protected. This would allow beacon protection to be bypassed. While the logic for checking beacon protection could be extended to cover this corner case, a more generic check for discard all Beacon frames based on A1=unicast address covers this without needing additional changes. Address all these issues by dropping received Beacon frames if they are sent to a non-broadcast address. | 2026-01-14 | not yet calculated | CVE-2025-71127 | https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35 https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661 https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2 https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0 https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Reported-at: https://launchpad.net/bugs/2129580 | 2026-01-14 | not yet calculated | CVE-2025-71128 | https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743 https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Sign extend kfunc call arguments The kfunc calls are native calls so they should follow LoongArch calling conventions. Sign extend its arguments properly to avoid kernel panic. This is done by adding a new emit_abi_ext() helper. The emit_abi_ext() helper performs extension in place meaning a value already store in the target register (Note: this is different from the existing sign_extend() helper and thus we can't reuse it). | 2026-01-14 | not yet calculated | CVE-2025-71129 | https://git.kernel.org/stable/c/fd43edf357a3a1f5ed1c4bf450b60001c9091c39 https://git.kernel.org/stable/c/0d666db731e95890e0eda7ea61bc925fd2be90c6 https://git.kernel.org/stable/c/321993a874f571a94b5a596f1132f798c663b56e https://git.kernel.org/stable/c/3f5a238f24d7b75f9efe324d3539ad388f58536e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is set to NULL, which is a source of a NULL deref bug described in the issue linked in the Closes tag. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn't matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being set to NULL as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. (cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd) | 2026-01-14 | not yet calculated | CVE-2025-71130 | https://git.kernel.org/stable/c/25d69e07770745992387c016613fd7ac8eaf9893 https://git.kernel.org/stable/c/0336188cc85d0eab8463bd1bbd4ded4e9602de8b https://git.kernel.org/stable/c/24d55ac8e31d2f8197bfad71ffcb3bae21ed7117 https://git.kernel.org/stable/c/63f23aa2fbb823c8b15a29269fde220d227ce5b3 https://git.kernel.org/stable/c/4fe2bd195435e71c117983d87f278112c5ab364c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. | 2026-01-14 | not yet calculated | CVE-2025-71131 | https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2 https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46 https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798 https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169 https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context in PREEMPT_RT When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work [ 13.062266] C ** replaying previous printk message ** [ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT. The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). | 2026-01-14 | not yet calculated | CVE-2025-71132 | https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6 https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0 https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6 https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3 https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ> | 2026-01-14 | not yet calculated | CVE-2025-71133 | https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8 https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354 https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first pageblock of the buddy page is updated, while the rest of the pageblocks are left unchanged. That causes warnings in later expand() and other code paths (like below), since an inconsistency between migration type of the list containing the page and the page-owned pageblocks migration types is introduced. [ 308.986589] ------------[ cut here ]------------ [ 308.987227] page type is 0, passed migratetype is 1 (nr=256) [ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270 [ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E) [ 308.987439] Unloaded tainted modules: hmac_s390(E):2 [ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT [ 308.987657] Tainted: [E]=UNSIGNED_MODULE [ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0) [ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270) [ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88 [ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300 [ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008 [ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0 [ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2 larl %r2,000003499883abd4 00000349976fa5f6: c0e5ffe3f4b5 brasl %r14,0000034997378f60 #00000349976fa5fc: af000000 mc 0,0 >00000349976fa600: a7f4ff4c brc 15,00000349976fa498 00000349976fa604: b9040026 lgr %r2,%r6 00000349976fa608: c0300088317f larl %r3,0000034998800906 00000349976fa60e: c0e5fffdb6e1 brasl %r14,00000349976b13d0 00000349976fa614: af000000 mc 0,0 [ 308.987734] Call Trace: [ 308.987738] [<00000349976fa600>] expand+0x240/0x270 [ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270) [ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940 [ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0 [ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40 [ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0 [ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400 [ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220 [ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0 [ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0 [ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240 [ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210 [ 308.987804] [<00000349976cb0 ---truncated--- | 2026-01-14 | not yet calculated | CVE-2025-71134 | https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5 https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ... If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce(): raid5_quiesce(mddev, true); raid5_quiesce(mddev, false); since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example: conf->quiesce = 0; wake_up(&conf->wait_for_quiescent); To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy(). | 2026-01-14 | not yet calculated | CVE-2025-71135 | https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01 https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-14 | not yet calculated | CVE-2025-71136 | https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76 https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0 https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0 https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983 https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4 https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. | 2026-01-14 | not yet calculated | CVE-2025-71137 | https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655 https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624 https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3 https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/ | 2026-01-14 | not yet calculated | CVE-2025-71138 | https://git.kernel.org/stable/c/678d1c86566dfbb247ba25482d37fddde6140cc9 https://git.kernel.org/stable/c/471baae774a30a04cf066907b60eaf3732928cb7 https://git.kernel.org/stable/c/35ea3282136a630a3fd92b76f5a3a02651145ef1 https://git.kernel.org/stable/c/88733a0b64872357e5ecd82b7488121503cb9cc6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 [...] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] __do_sys_kexec_file_load+0x29c/0x368 [...] [ 40.855423] ---[ end trace 0000000000000000 ]--- *** How to reproduce *** This bug is only triggered when the kexec target address is allocated in the CMA area. If no CMA area is reserved in the kernel, use the "cma=" option in the kernel command line to reserve one. *** Root cause *** The commit 07d24902977e ("kexec: enable CMA based contiguous allocation") allocates the kexec target address directly on the CMA area to avoid copying during the jump. In this case, there is no IND_SOURCE for the kexec segment. But the current implementation of kimage_map_segment() assumes that IND_SOURCE pages exist and map them into a contiguous virtual address by vmap(). *** Solution *** If IMA segment is allocated in the CMA area, use its page_address() directly. | 2026-01-14 | not yet calculated | CVE-2025-71139 | https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler. Turns out on the MT8173, the VPU IPI handler is called from hard IRQ context. This causes a big warning from the scheduler. This was first reported downstream on the ChromeOS kernels, but is also reproducible on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though the actual capture format is not supported, the affected code paths are triggered. Since this lock just protects the context list and operations on it are very fast, it should be OK to switch to a spinlock. | 2026-01-14 | not yet calculated | CVE-2025-71140 | https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351 https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1 https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 ... [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by rewriting the failed probe cleanup path using the standard goto error handling pattern, which ensures that cleanup functions are only called on successfully initialized resources. Additionally, remove the now-unnecessary is_registered flag. | 2026-01-14 | not yet calculated | CVE-2025-71141 | https://git.kernel.org/stable/c/21e52dc7762908c3d499cfb493d1b8281fc1d3ab https://git.kernel.org/stable/c/71be8825e83c90c1e020feb77b29e6a99629e642 https://git.kernel.org/stable/c/a585c7ef9cabda58088916baedc6573e9a5cd2a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabling remote partition A warning was triggered as follows: WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 RIP: 0010:remote_partition_disable+0xf7/0x110 RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40 RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000 RBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8 R13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0 Call Trace: <TASK> update_prstate+0x2d3/0x580 cpuset_partition_write+0x94/0xf0 kernfs_fop_write_iter+0x147/0x200 vfs_write+0x35d/0x500 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f55c8cd4887 Reproduction steps (on a 16-CPU machine): # cd /sys/fs/cgroup/ # mkdir A1 # echo +cpuset > A1/cgroup.subtree_control # echo "0-14" > A1/cpuset.cpus.exclusive # mkdir A1/A2 # echo "0-14" > A1/A2/cpuset.cpus.exclusive # echo "root" > A1/A2/cpuset.cpus.partition # echo 0 > /sys/devices/system/cpu/cpu15/online # echo member > A1/A2/cpuset.cpus.partition When CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs remain available for the top_cpuset, forcing partitions to share CPUs with the top_cpuset. In this scenario, disabling the remote partition triggers a warning stating that effective_xcpus is not a subset of subpartitions_cpus. Partitions should be invalidated in this case to inform users that the partition is now invalid(cpus are shared with top_cpuset). To fix this issue: 1. Only emit the warning only if subpartitions_cpus is not empty and the effective_xcpus is not a subset of subpartitions_cpus. 2. During the CPU hotplug process, invalidate partitions if subpartitions_cpus is empty. | 2026-01-14 | not yet calculated | CVE-2025-71142 | https://git.kernel.org/stable/c/5d8b9d38a7676be7bb5e7d57f92156a98dab39fb https://git.kernel.org/stable/c/aa7d3a56a20f07978d9f401e13637a6479b13bd0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialization because the number of elements is zero. This occurs in exynos_clkout_probe() due to .num being assigned after .hws[] has been accessed: UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18 index 0 is out of range for type 'clk_hw *[*]' Move the .num initialization to before the first access of .hws[], clearing up the warning. | 2026-01-14 | not yet calculated | CVE-2025-71143 | https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236 https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0 https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290 https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unconditionally cleared at MPTCP disconnect time), leading to a warning in subflow_data_ready(): WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Modules linked in: CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary) Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09 RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435 RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005 RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_data_ready (net/ipv4/tcp_input.c:5356) tcp_data_queue (net/ipv4/tcp_input.c:5445) tcp_rcv_state_process (net/ipv4/tcp_input.c:7165) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955) __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6)) release_sock (net/core/sock.c:3737) mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857) inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7)) __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15)) __x64_sys_sendto (net/socket.c:2247) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f883326702d Address the issue setting an explicit `fastclosing` flag at fastclose time, and checking such flag after mptcp_do_fastclose(). | 2026-01-14 | not yet calculated | CVE-2025-71144 | https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07 https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e |
| Ludashi--Ludashi | A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller's privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation. | 2026-01-15 | not yet calculated | CVE-2025-67246 | http://ludashi.com https://github.com/CDipper/CVE-Publication |
| LycheeOrg--Lychee | Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0. | 2026-01-12 | not yet calculated | CVE-2026-22784 | https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-jj56-2c54-4f25 https://github.com/LycheeOrg/Lychee/commit/f021a29f9ab2bafa81d9f5e32ff5bc89915c7d41 |
| maximmasiutin--TinyWeb | TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98. | 2026-01-12 | not yet calculated | CVE-2026-22781 | https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html |
| MCP Server--Zen | A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths. | 2026-01-12 | not yet calculated | CVE-2025-66689 | https://github.com/BeehiveInnovations/zen-mcp-server/issues/293 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-66689.md |
| metabase--metabase | Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1. | 2026-01-12 | not yet calculated | CVE-2026-22805 | https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. | 2026-01-16 | not yet calculated | CVE-2026-21223 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Mini Router--Italy Wireless | A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. | 2026-01-15 | not yet calculated | CVE-2025-65349 | https://imgur.com/a/X9DNOBj https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-65349 |
| Mitel MiVoice--Mitel MiVoice | A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system. | 2026-01-15 | not yet calculated | CVE-2025-67822 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009 |
| Mitel--Mitel | A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application. | 2026-01-15 | not yet calculated | CVE-2025-67823 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0010 |
| mlflow--mlflow/mlflow | MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. | 2026-01-12 | not yet calculated | CVE-2025-14279 | https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108 https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3 |
| Mozilla--Firefox | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0877 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999257 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0878 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003989 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0879 | https://bugzilla.mozilla.org/show_bug.cgi?id=2004602 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0880 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005014 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0881 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005845 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0882 | https://bugzilla.mozilla.org/show_bug.cgi?id=1924125 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0883 | https://bugzilla.mozilla.org/show_bug.cgi?id=1989340 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0884 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003588 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0885 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003607 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0886 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005658 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0887 | https://bugzilla.mozilla.org/show_bug.cgi?id=2006500 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0888 | https://bugzilla.mozilla.org/show_bug.cgi?id=1985996 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0889 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999084 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0890 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005081 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0891 | Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0892 | Memory safety bugs fixed in Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| nanomq--nanomq | An issue in nanomq v0.22.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. The number of data packets received in the recv-q queue of the Nanomq process continues to increase, causing the nanomq broker to fall into a deadlock and be unable to provide normal services. | 2026-01-15 | not yet calculated | CVE-2024-48077 | https://github.com/nanomq/nanomq https://gist.github.com/pengwGit/2379e7a8fe75d09621f7c060db0237c4 |
| NAVER--lucy-xss-filter | lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension. | 2026-01-16 | not yet calculated | CVE-2026-23768 | https://cve.naver.com/detail/cve-2026-23768.html https://github.com/naver/lucy-xss-filter/pull/31 |
| NAVER--lucy-xss-filter | lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | 2026-01-16 | not yet calculated | CVE-2026-23769 | https://cve.naver.com/detail/cve-2026-23769.html https://github.com/naver/lucy-xss-filter/pull/32 |
| Neoteroi--BlackSheep | BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6. | 2026-01-14 | not yet calculated | CVE-2026-22779 | https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12 https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6 |
| NETAPP--ONTAP 9 | ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none. | 2026-01-12 | not yet calculated | CVE-2026-22050 | https://security.netapp.com/advisory/NTAP-20260112-0001 |
| NETGEAR--EX5000 | An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. | 2026-01-13 | not yet calculated | CVE-2026-0407 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--EX5000 | A path traversal vulnerability in NETGEAR WiFi range extenders allows an attacker with LAN authentication to access the router's IP and review the contents of the dynamically generated webproc file, which records the username and password submitted to the router GUI. | 2026-01-13 | not yet calculated | CVE-2026-0408 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBE970 | An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin. | 2026-01-13 | not yet calculated | CVE-2026-0405 | https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/cbr750 https://www.netgear.com/support/product/nbr750 https://www.netgear.com/support/product/rbe770 https://www.netgear.com/support/product/rbe771 https://www.netgear.com/support/product/rbe772 https://www.netgear.com/support/product/rbe773 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbe370 https://www.netgear.com/support/product/rbe371 https://www.netgear.com/support/product/rbe372 https://www.netgear.com/support/product/rbe373 https://www.netgear.com/support/product/rbe374 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBR750 | An insufficient input validation vulnerability in NETGEAR Orbi routers allows attackers connected to the router's LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0403 | https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBRE960 | An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default. | 2026-01-13 | not yet calculated | CVE-2026-0404 | https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--XR1000v2 | An insufficient input validation vulnerability in the NETGEAR XR1000v2 allows attackers connected to the router's LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0406 | https://www.netgear.com/support/product/xr1000v2 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| Ollama--Ollama | Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of service condition where the model becomes unavailable to all users until the service is restarted. | 2026-01-12 | not yet calculated | CVE-2025-15514 | https://huntr.com/bounties/172df98b-07cd-41ea-a628-366f8cd525c0 https://ollama.com/ https://https://github.com/ollama/ollama https://www.vulncheck.com/advisories/ollama-multi-modal-image-processing-null-pointer-dereference |
| Omnilogic--Omni Secure Files | Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin's uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed. | 2026-01-16 | not yet calculated | CVE-2012-10064 | https://wpscan.com/vulnerability/376fd666-6471-479c-9b74-1d8088a33e89/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/omni-secure-files/omni-secure-files-0113-arbitrary-file-upload https://wordpress.org/plugins/omni-secure-files/ https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-omni-secure-files-upload-php-arbitrary-file-upload-0-1-13/ https://web.archive.org/web/20121025112632/http%3A//secunia.com/advisories/49441 https://packetstorm.news/files/id/113411 https://www.exploit-db.com/exploits/19009 https://web.archive.org/web/20191021091221/https%3A//www.securityfocus.com/bid/53872/ https://www.vulncheck.com/advisories/omni-secure-files-unauthenticated-arbitrary-file-upload |
| Omnispace--Omnispace | Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. | 2026-01-15 | not yet calculated | CVE-2025-67076 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action. | 2026-01-15 | not yet calculated | CVE-2025-67077 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. | 2026-01-15 | not yet calculated | CVE-2025-67078 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions. | 2026-01-15 | not yet calculated | CVE-2025-67079 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| orval-labs--orval | orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0. | 2026-01-12 | not yet calculated | CVE-2026-22785 | https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. | 2026-01-14 | not yet calculated | CVE-2025-67833 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the filter parameter. | 2026-01-14 | not yet calculated | CVE-2025-67834 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service (DoS) by an authenticated attacker via the Notification Contacts functionality. | 2026-01-14 | not yet calculated | CVE-2025-67835 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Palo Alto Networks--Cloud NGFW | A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode. | 2026-01-15 | not yet calculated | CVE-2026-0227 | https://security.paloaltonetworks.com/CVE-2025-4620 |
| Pegasystems--Pega Infinity | Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. | 2026-01-13 | not yet calculated | CVE-2025-62182 | https://support.pega.com/support-doc/pega-security-advisory-l25-vulnerability-remediation-note |
| pH7Software--pH7Software | A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field. | 2026-01-14 | not yet calculated | CVE-2025-63644 | https://drive.google.com/drive/folders/1mYDvUTnlTPCGTB-7tHD3pmu_wHtlMVRP https://medium.com/@rudranshsinghrajpurohit/cve-2025-63644-stored-cross-site-scripting-xss-vulnerability-in-ph7-social-dating-cms-23ed0e7eb853 |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted. | 2026-01-13 | not yet calculated | CVE-2025-69990 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 is vulnerable to SQL Injection in check_availablity.php. | 2026-01-13 | not yet calculated | CVE-2025-69991 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/SQL%20Injection.md |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication. | 2026-01-13 | not yet calculated | CVE-2025-69992 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20upload%20vulnerability.md |
| QloApps--QloApps | A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. | 2026-01-12 | not yet calculated | CVE-2021-41074 | https://qloapps.com/ https://github.com/dillonkirsch/CVE-2021-41074 |
| RIOT--RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption. | 2026-01-12 | not yet calculated | CVE-2026-22213 | https://seclists.org/fulldisclosure/2026/Jan/15 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility |
| RIOT--RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash. | 2026-01-12 | not yet calculated | CVE-2026-22214 | https://seclists.org/fulldisclosure/2026/Jan/16 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser |
| run-llama--llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk. | 2026-01-12 | not yet calculated | CVE-2024-14021 | https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12 https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization |
| run-llama--llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query(). | 2026-01-12 | not yet calculated | CVE-2024-58339 | https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion |
| RustCrypto--utils | RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4. | 2026-01-15 | not yet calculated | CVE-2026-23519 | https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80. | 2026-01-16 | not yet calculated | CVE-2026-22782 | https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560 https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122 |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68698 | https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68701 | https://github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, '0') when it should use padLeft(64, '0') because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68702 | https://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68703 | https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68704 | https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68925 | https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68931 | https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| Schneider Electric--EcoStruxure Power Build Rapsody | CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13844 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Schneider Electric--EcoStruxure Power Build Rapsody | CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13845 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Semantic--Semantic | An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. | 2026-01-13 | not yet calculated | CVE-2025-66698 | http://veda.com http://semantic.com https://github.com/Perunchess/CVE-2025-66698 |
| ServiceNow--Now Assist AI Agents | A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so. | 2026-01-12 | not yet calculated | CVE-2025-12420 | https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329 |
| siyuan-note--siyuan | SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. | 2026-01-16 | not yet calculated | CVE-2026-23645 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388 |
| Slab--Quill | A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3. | 2026-01-13 | not yet calculated | CVE-2025-15056 | https://fluidattacks.com/advisories/diomedes https://github.com/slab/quill |
| Sonatype--Nexus Repository | Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default. | 2026-01-14 | not yet calculated | CVE-2026-0600 | https://support.sonatype.com/hc/en-us/articles/47928855816595 |
| Sonatype--Nexus Repository | A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction. | 2026-01-14 | not yet calculated | CVE-2026-0601 | https://help.sonatype.com/en/sonatype-nexus-repository-3-88-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/47934334375955 |
| Sourcecodester--Sourcecodester | Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE. | 2026-01-12 | not yet calculated | CVE-2025-66802 | https://feedly.com/cve/CVE-2022-2746 https://github.com/mtgsjr/CVE-2025-66802 |
| SparkyFitness--SparkyFitness | SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. | 2026-01-15 | not yet calculated | CVE-2025-65368 | https://github.com/CodeWithCJ/SparkyFitness https://github.com/CodeWithCJ/SparkyFitness/security/advisories/GHSA-j7x6-6678-2xqp#event-521570 |
| Stackideas.com--EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21623 | https://stackideas.com/easydiscuss |
| Stackideas.com--EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21624 | https://stackideas.com/easydiscuss |
| Stackideas.com--EasyDiscuss extension for Joomla | User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | 2026-01-16 | not yet calculated | CVE-2026-21625 | https://stackideas.com/easydiscuss |
| SteelSeries--SteelSeries | SteelSeries Nahimic 3 1.10.7 allows Directory traversal. | 2026-01-16 | not yet calculated | CVE-2025-68921 | https://steelseries.gg https://steelseries.com/nahimic https://gist.github.com/ZeroMemoryEx/93208b7e57a5444de3654816857ddef4 |
| Steven--Uploadify | Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location. | 2026-01-15 | not yet calculated | CVE-2011-10041 | https://packetstorm.news/files/id/98652 https://wpscan.com/vulnerability/6946364c-9764-468e-87d5-2dd57e531985/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/uploadify/uploadify-10-arbitrary-file-upload https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-uploadify-remote-file-upload-1-0/ https://www.vulncheck.com/advisories/uploadify-unauthenticated-arbitrary-file-upload |
| Svelte--Svelte | An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. | 2026-01-15 | not yet calculated | CVE-2025-15265 | https://fluidattacks.com/advisories/lydian https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3 https://fluidattacks.com/advisories/lydian |
| sveltejs--kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2025-67647 | https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35 https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226 |
| sveltejs--kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2026-22803 | https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46 https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5 https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1 |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70656 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/11/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70744 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/10/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZone parameter of the fromSetSysTime function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-70746 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/4/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serviceName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-70747 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/6/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_4CA50 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-70753 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/8/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-71019 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/9/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_4C408 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-71020 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/5/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serverName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-71021 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/7/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the mac2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71023 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/11/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the serviceName2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71024 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/12/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the cloneType2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71025 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/10/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanSpeed2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71026 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/9/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanMTU2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71027 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/8/1.md |
| The GNU C Library--glibc | Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. | 2026-01-14 | not yet calculated | CVE-2026-0861 | https://sourceware.org/bugzilla/show_bug.cgi?id=33796 https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001 |
| The GNU C Library--glibc | Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. | 2026-01-15 | not yet calculated | CVE-2026-0915 | https://sourceware.org/bugzilla/show_bug.cgi?id=33802 |
| The Nu Html Checker--The Nu Html Checker | Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd). | 2026-01-16 | not yet calculated | CVE-2025-15104 | https://fluidattacks.com/advisories/europe https://github.com/validator/validator |
| TheLibrarian--TheLibrarian.io | The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian. | 2026-01-16 | not yet calculated | CVE-2026-0612 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0613 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0615 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0616 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TinyOS--TinyOS | TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure via corrupted adjacent global state or UART output. | 2026-01-14 | not yet calculated | CVE-2026-22211 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-global-buffer-overflow-in-printfuart |
| TinyOS--TinyOS | TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes. | 2026-01-12 | not yet calculated | CVE-2026-22212 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-stack-based-buffer-overflow-in-mcp2200gpio |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command. | 2026-01-16 | not yet calculated | CVE-2026-20759 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen. | 2026-01-16 | not yet calculated | CVE-2026-20894 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege. | 2026-01-16 | not yet calculated | CVE-2026-22876 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| Tongyu--Tongyu | An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints). | 2026-01-13 | not yet calculated | CVE-2025-68707 | https://www.tongyucom.com/product/ax1800.html https://github.com/actuator/cve/tree/main/Tongyu https://github.com/actuator/cve/blob/main/Tongyu/CVE-2025-68707.txt |
| TP-Link Systems Inc.--TL-WR841N v14 | A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. A remote, unauthenticated attacker can exploit this flaw and cause Denial of Service on the web portal service.This issue affects TL-WR841N v14: before 250908. | 2026-01-15 | not yet calculated | CVE-2025-9014 | https://www.tp-link.com/us/support/faq/4894/ https://www.tp-link.com/jp/support/download/tl-wr841n/#Firmware https://www.tp-link.com/en/support/download/tl-wr841n/#Firmware https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware |
| TP-Link Systems Inc.--VIGI InSight Sx45 Series (S245/S345/S445) | Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | 2026-01-16 | not yet calculated | CVE-2026-0629 | https://www.vigi.com/us/support/download/ https://www.vigi.com/en/support/download/ https://www.vigi.com/in/support/download/ https://www.tp-link.com/us/support/faq/4899/ |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71164 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/706 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71165 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/709 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71166 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/707 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling |
| TYPO3--TYPO3 CMS | By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59020 | https://typo3.org/security/advisory/typo3-core-sa-2026-001 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user's own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59021 | https://typo3.org/security/advisory/typo3-core-sa-2026-002 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59022 | https://typo3.org/security/advisory/typo3-core-sa-2026-003 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2026-0859 | https://typo3.org/security/advisory/typo3-core-sa-2026-004 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| Vanilla OS--fabricators ltd | fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. | 2026-01-13 | not yet calculated | CVE-2024-54855 | http://vanilla.com http://fabricators.com https://github.com/Vanilla-OS/core-image/security/advisories/GHSA-67pc-hqr2-g34h |
| Viafirma--Inbox | IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions. | 2026-01-12 | not yet calculated | CVE-2025-41077 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Viafirma--Viafirma Documents | Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. | 2026-01-12 | not yet calculated | CVE-2025-41078 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Vivotek--Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c. | 2026-01-13 | not yet calculated | CVE-2026-22755 | http://www.vapidlabs.com/advisory.php?v=220 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2. | 2026-01-14 | not yet calculated | CVE-2026-21889 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385 https://github.com/WeblateOrg/weblate/pull/17516 https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47 |
| WordPress--Dreamer Blog | The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. | 2026-01-13 | not yet calculated | CVE-2025-10915 | https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/ |
| WordPress--E-xact | Hosted Payment | | The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | 2026-01-13 | not yet calculated | CVE-2025-14829 | https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/ |
| WordPress--Quiz Maker | The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-01-12 | not yet calculated | CVE-2025-14579 | https://wpscan.com/vulnerability/1ff8ea2b-6513-4d5c-b7ea-9ab39c9ea9c6/ |
| WorkDo--eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to '/store-ticket', using the 'subject' and 'description' parameters. | 2026-01-12 | not yet calculated | CVE-2025-40977 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to '/ticket/x/conversion', using the 'reply_description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40978 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--HRMGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to '/hrmgo/ticket/changereply', using the 'description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40975 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--TicketGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to '/ticketgo-saas/home', using the 'description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40976 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| xmall--xmall | Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. | 2026-01-12 | not yet calculated | CVE-2023-36331 | https://github.com/Exrick/xmall/issues/100 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. | 2026-01-12 | not yet calculated | CVE-2026-22776 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792 |
| YSoft--SafeQ 6 | Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106. | 2026-01-14 | not yet calculated | CVE-2025-13175 | https://www.ysoft.com/safeq https://docs.ysoft.cloud/safeq6/latest/safeq6/release-notes-build-106 https://cert.pl/en/posts/2026/01/CVE-2025-13175 |
| Zhiyuan-Zhyuan | Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint. | 2026-01-16 | not yet calculated | CVE-2025-56451 | https://www.yuque.com/076w/syst1m/zlp7c6hmowx6cg51?singleDoc https://gist.github.com/076w/b223381ba06b05845d919fb29619777b |
Vulnerability Summary for the Week of January 5, 2026
Posted on Monday January 12, 2026
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AA-Team--Amazon Native Shopping Recommendations | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through 1.3. | 2026-01-05 | 9.3 | CVE-2025-30633 | https://vdp.patchstack.com/database/wordpress/plugin/woozone-contextual/vulnerability/wordpress-amazon-native-shopping-recommendations-plugin-1-3-sql-injection-vulnerability?_s_id=cve |
| AA-Team--Premium Age Verification / Restriction for WordPress | Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. | 2026-01-06 | 8.8 | CVE-2025-29004 | https://patchstack.com/database/wordpress/plugin/age-restriction/vulnerability/wordpress-premium-age-verification-restriction-for-wordpress-plugin-3-0-2-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/wordpress-flat-countdown/vulnerability/wordpress-responsive-coming-soon-landing-page-holding-page-for-wordpress-3-0-privilege-escalation-vulnerability?_s_id=cve |
| AA-Team--Premium SEO Pack | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. | 2026-01-05 | 8.5 | CVE-2025-31044 | https://vdp.patchstack.com/database/wordpress/plugin/premium-seo-pack/vulnerability/wordpress-premium-seo-pack-3-3-2-sql-injection-vulnerability?_s_id=cve |
| AA-Team--Woocommerce Sales Funnel Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | 2026-01-06 | 7.1 | CVE-2025-30631 | https://patchstack.com/database/wordpress/plugin/woosales/vulnerability/wordpress-woocommerce-sales-funnel-builder-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ABB--WebPro SNMP Card PowerValue | Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 8.8 | CVE-2025-4676 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| Adtecdigital--SignEdje Digital Signage Player | Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. | 2026-01-06 | 7.5 | CVE-2020-36915 | ExploitDB-48954 Adtec Digital Official Homepage Zero Science Lab Disclosure (ZSL-2020-5603) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Adtec Digital SignEdje Digital Signage Player v2.08.28 Default Credentials |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. | 2026-01-05 | 7.5 | CVE-2025-69223 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a |
| aksharsoftsolutions--AS Password Field In Default Registration Form | The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2026-01-06 | 9.8 | CVE-2025-14996 | https://www.wordfence.com/threat-intel/vulnerabilities/id/061f022b-b922-4499-bb34-8ea91ba5ace3?source=cve https://plugins.trac.wordpress.org/browser/as-password-field-in-default-registration-form/tags/2.0.0/as-password-field-default-registration.php |
| Alibaba--Fastjson | Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. | 2026-01-09 | 10 | CVE-2025-70974 | https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48 https://www.seebug.org/vuldb/ssvid-98020 https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 https://www.freebuf.com/vuls/208339.html https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 |
| arraytics--Eventin Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) | The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded. | 2026-01-09 | 7.2 | CVE-2025-14657 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php |
| Arteco-Global--Arteco Web Client DVR/NVR | Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization. | 2026-01-06 | 9.8 | CVE-2020-36925 | ExploitDB-49348 Arteco Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5613) Packet Storm Security Exploit Archive IBM X-Force Exchange Vulnerability Entry 1 IBM X-Force Exchange Vulnerability Entry 2 CXSecurity Vulnerability Listing VulnCheck Advisory: Arteco Web Client DVR/NVR Session ID Brute Force Authentication Bypass |
| AWS--Kiro IDE | Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version. | 2026-01-09 | 7.8 | CVE-2026-0830 | https://kiro.dev/changelog/spec-correctness-and-cli/ https://aws.amazon.com/security/security-bulletins/2026-001-AWS/ |
| bg5sbk--MiniCMS | A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15457 | VDB-339490 | bg5sbk MiniCMS Trash File Restore post.php improper authentication VDB-339490 | CTI Indicators (IOB, IOC, IOA) Submit #725139 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/12 |
| bg5sbk--MiniCMS | A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15458 | VDB-339491 | bg5sbk MiniCMS Article post-edit.php improper authentication VDB-339491 | CTI Indicators (IOB, IOC, IOA) Submit #725142 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/9 |
| Brecht--Custom Related Posts | Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. | 2026-01-05 | 7.5 | CVE-2025-68033 | https://vdp.patchstack.com/database/wordpress/plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-plugin-1-8-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| buddydev--BuddyPress Xprofile Custom Field Types | The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2026-01-06 | 7.2 | CVE-2025-14997 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types |
| CAYIN Technology--SMP-8000QD | Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root. | 2026-01-06 | 8.8 | CVE-2020-36910 | ExploitDB-48557 Cayin Technology Official Website Zero Science Lab Disclosure (ZSL-2020-5569) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Listing VulnCheck Advisory: Cayin Signage Media Player 3.0 Authenticated Remote Command Injection via NTP Parameter |
| Centreon--Infra Monitoring | Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15026 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357 |
| Centreon--Infra Monitoring | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15029 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356 |
| Centreon--Infra Monitoring | In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 7.2 | CVE-2025-5965 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362 |
| code-projects--Intern Membership Management System | A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-08 | 7.3 | CVE-2026-0700 | VDB-339977 | code-projects Intern Membership Management System check_admin.php sql injection VDB-339977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733001 | code-projects Intern Membership Management System check_admin.php 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20check_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Online Music Site | A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0605 | VDB-339549 | code-projects Online Music Site login.php sql injection VDB-339549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731695 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-05 | 7.3 | CVE-2026-0606 | VDB-339550 | code-projects Online Music Site Albums.php sql injection VDB-339550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731696 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-05 | 7.3 | CVE-2026-0607 | VDB-339551 | code-projects Online Music Site AdminViewSongs.php sql injection VDB-339551 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731697 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability was identified in code-projects Online Music Site 1.0. The affected element is an unknown function of the file /Administrator/PHP/AdminAddUser.php. The manipulation of the argument txtusername leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-01-11 | 7.3 | CVE-2026-0851 | VDB-340446 | code-projects Online Music Site AdminAddUser.php sql injection VDB-340446 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733644 | Code-Projects Online Music Site V1.0 SQLinjection https://github.com/tuo159515/sql-injection/issues/2 https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0583 | VDB-339475 | code-projects Online Product Reservation System User Login login.php sql injection VDB-339475 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731093 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0585 | VDB-339477 | code-projects Online Product Reservation System GET Parameter order_view.php sql injection VDB-339477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731096 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-05 | 7.3 | CVE-2026-0589 | VDB-339499 | code-projects Online Product Reservation System Administration Backend improper authentication VDB-339499 | CTI Indicators (IOB, IOC) Submit #731127 | code-projects Online Product Reservation System V1.0 Authentication Bypass Issues https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0592 | VDB-339502 | code-projects Online Product Reservation System User Registration register_code.php sql injection VDB-339502 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731130 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md#poc https://code-projects.org/ |
| codename065--Download Manager | The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account. | 2026-01-06 | 7.3 | CVE-2025-15364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/067031e8-6aa8-451c-a318-b1848c7a4f92?source=cve https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.40/src/__/Crypt.php#L18 https://plugins.trac.wordpress.org/changeset/3431915/download-manager#file7 |
| Codepeople--Sell Downloads | Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. | 2026-01-05 | 7.5 | CVE-2025-68850 | https://vdp.patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve |
| Columbia Weather Systems--MicroServer | An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device. | 2026-01-07 | 8.8 | CVE-2025-61939 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Columbia Weather Systems--MicroServer | An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system. | 2026-01-07 | 8 | CVE-2025-66620 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Comfy-Org--ComfyUI-Manager | ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5. | 2026-01-10 | 7.5 | CVE-2026-22777 | https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2 https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | 10 | CVE-2025-59157 | https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | 10 | CVE-2025-64420 | https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue. | 2026-01-05 | 9.7 | CVE-2025-64419 | https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3 https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6 |
| coreruleset--coreruleset | The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue. | 2026-01-08 | 9.3 | CVE-2026-21876 | https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5 https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6 https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8 https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0 |
| Corourke--iPhone Webclip Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. | 2026-01-05 | 7.1 | CVE-2024-53735 | https://vdp.patchstack.com/database/wordpress/plugin/iphone-webclip-manager/vulnerability/wordpress-iphone-webclip-manager-plugin-0-5-csrf-to-stored-xss-vulnerability?_s_id=cve |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2. | 2026-01-07 | 9.1 | CVE-2025-69222 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8 https://github.com/danny-avila/LibreChat/commit/3b41e392ba5c0d603c1737d8582875e04eaa6e02 https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2. | 2026-01-07 | 7.1 | CVE-2025-69220 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59 https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237 https://cwe.mitre.org/data/definitions/284.html https://cwe.mitre.org/data/definitions/862.html https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 https://owasp.org/Top10/A01_2021-Broken_Access_Control https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf |
| Dasinfomedia--WPCHURCH | Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-07 | 8.8 | CVE-2025-31643 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-privilege-escalation-vulnerability?_s_id=cve |
| Dasinfomedia--WPCHURCH | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-06 | 7.1 | CVE-2025-31642 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dell--Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control. | 2026-01-06 | 7.6 | CVE-2025-36589 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| devolo AG--devolo dLAN Cockpit | devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot. | 2026-01-07 | 8.4 | CVE-2019-25231 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Devolo Vendor Homepage |
| DevToys-app--DevToys | DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user's system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0. | 2026-01-10 | 8.8 | CVE-2026-22685 | https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh https://github.com/DevToys-app/DevToys/pull/1643 https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f |
| Digital zoom studio--DZS Video Gallery | Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37. | 2026-01-07 | 9.8 | CVE-2025-47552 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-12-25-php-object-injection-vulnerability?_s_id=cve |
| Digital zoom studio--DZS Video Gallery | Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. | 2026-01-06 | 8.8 | CVE-2025-47553 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-php-object-injection-vulnerability?_s_id=cve |
| Digital zoom studio--DZS Video Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Digital zoom studio DZS Video Gallery allows Reflected XSS.This issue affects DZS Video Gallery: from n/a through 12.25. | 2026-01-07 | 7.1 | CVE-2025-32300 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| djanym--Optional Email | The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts. | 2026-01-07 | 9.8 | CVE-2025-15018 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44 |
| e-plugins--JobBank | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2. | 2026-01-06 | 7.1 | CVE-2025-69085 | https://patchstack.com/database/wordpress/plugin/jobbank/vulnerability/wordpress-jobbank-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| eastsidecode--WP Enable WebP | The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-07 | 8.8 | CVE-2025-15158 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43 |
| Elated-Themes--Frapp | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8. | 2026-01-06 | 8.1 | CVE-2025-69083 | https://patchstack.com/database/wordpress/theme/frappe/vulnerability/wordpress-frappe-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| Extreme Networks--Aerohive HiveOS | Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption. | 2026-01-06 | 7.5 | CVE-2020-36907 | ExploitDB-48441 Extreme Networks Product Homepage HiveOS Product Announcements Zero Science Lab Disclosure (ZSL-2020-5566) NCSC Security Advisory IBM X-Force Vulnerability Exchange Packet Storm Security Exploit Entry VulnCheck Advisory: Extreme Networks Aerohive HiveOS <=11.x 11.x Unauthenticated Remote Denial of Service |
| FIBAR GROUP S.A.--Home Center 3 | FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content. | 2026-01-06 | 7.5 | CVE-2020-36905 | ExploitDB-48240 Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5563) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange VulnCheck Advisory: FIBARO System Home Center 5.021 Remote File Inclusion via Proxy API |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. | 2026-01-08 | 7.5 | CVE-2026-21868 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D | FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. | 2026-01-07 | 7.5 | CVE-2017-20214 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42787 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D Stream | FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. Attackers can exploit the vulnerability to view unauthorized thermal camera video feeds across multiple camera series without requiring any authentication. | 2026-01-07 | 7.5 | CVE-2017-20213 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42789 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera FC-S/PT | FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. Authenticated attackers can inject arbitrary shell commands through unvalidated input parameters to gain complete control of the thermal camera system. | 2026-01-07 | 8.8 | CVE-2017-20215 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42788 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera PT-Series | FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC). | 2026-01-07 | 9.8 | CVE-2017-20216 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42785 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| frappe--frappe | Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended. | 2026-01-05 | 7.5 | CVE-2025-68953 | https://github.com/frappe/frappe/security/advisories/GHSA-xj39-3g4p-f46v https://github.com/frappe/frappe/commit/3867fb112c3f7be1a863e40f19e9235719f784fb https://github.com/frappe/frappe/commit/959efd6a498cfaeaf7d4e0ab6cca78c36192d34d |
| Frenify--Arlo | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frenify Arlo arlo allows Reflected XSS.This issue affects Arlo: from n/a through 6.0.3. | 2026-01-07 | 7.1 | CVE-2025-69082 | https://patchstack.com/database/wordpress/theme/arlo/vulnerability/wordpress-arlo-theme-6-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| fsylum--FS Registration Password | The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2026-01-06 | 9.8 | CVE-2025-15001 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22351b90-fc34-44ce-9241-4a0f01eb7b1c?source=cve https://plugins.trac.wordpress.org/browser/registration-password/tags/1.0.1/src/WP/Auth.php https://plugins.trac.wordpress.org/changeset/3431651/registration-password |
| G5Theme--Handmade Framework | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9. | 2026-01-08 | 7.5 | CVE-2026-22521 | https://patchstack.com/database/wordpress/plugin/handmade-framework/vulnerability/wordpress-handmade-framework-plugin-3-9-local-file-inclusion-vulnerability?_s_id=cve |
| ggml-org--llama.cpp | llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fills up, llama_memory_seq_rm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication. | 2026-01-07 | 8.8 | CVE-2026-21869 | https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8947-pfff-2f3c |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. | 2026-01-09 | 8 | CVE-2025-13761 | GitLab Issue #582237 HackerOne Bug Bounty Report #3441368 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. | 2026-01-09 | 8.7 | CVE-2025-9222 | GitLab Issue #562561 HackerOne Bug Bounty Report #3297483 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. | 2026-01-09 | 7.1 | CVE-2025-13772 | GitLab Issue #581268 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| greenshot--greenshot | Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311. | 2026-01-08 | 7.8 | CVE-2026-22035 | https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb https://github.com/greenshot/greenshot/releases/tag/v1.3.311 |
| GT3 themes--Photo Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26. | 2026-01-06 | 7.1 | CVE-2025-69084 | https://patchstack.com/database/wordpress/plugin/gt3-photo-video-gallery/vulnerability/wordpress-photo-gallery-plugin-2-7-7-26-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Guangzhou V--V-SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary websites by exploiting improper input validation in the redirect mechanism. | 2026-01-07 | 9.8 | CVE-2019-25282 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry VSOL Vendor Homepage |
| Guangzhou Yeroo Tech Co., Ltd.--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords during man-in-the-middle attacks on HTTP communications. | 2026-01-06 | 7.5 | CVE-2020-36917 | Zero Science Lab Disclosure (ZSL-2020-5605) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry Archived Yeroo Tech Vendor Homepage VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Cleartext Password Disclosure via Cookie |
| haxtheweb--issues | HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0. | 2026-01-10 | 8.1 | CVE-2026-22704 | https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778 https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0 |
| IceWhaleTech--ZimaOS | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available. | 2026-01-08 | 9.4 | CVE-2026-21891 | https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4 |
| Infility--Infility Global | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48. | 2026-01-05 | 9.3 | CVE-2025-68865 | https://vdp.patchstack.com/database/wordpress/plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-38-sql-injection-vulnerability?_s_id=cve |
| INIM Electronics s.r.l.--SmartLiving SmartLAN/G/SI | SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials. | 2026-01-07 | 8.8 | CVE-2019-25289 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47765 Packet Storm Security Exploit File CXSecurity Vulnerability Issue IBM X-Force Vulnerability Exchange Entry Inim Vendor Homepage |
| INIM Electronics s.r.l.--Smartliving SmartLAN/G/SI | INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models. | 2026-01-07 | 7.5 | CVE-2019-25291 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47763 Packet Storm Security Exploit File IBM X-Force Vulnerability Exchange Entry INIM Vendor Homepage |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 9.8 | CVE-2026-21675 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wcwx-794g-g78f https://github.com/InternationalColorConsortium/iccDEV/issues/182 https://github.com/InternationalColorConsortium/iccDEV/commit/510baf58fa48e00ebbb5dd577f0db4af8876bb31 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 8.8 | CVE-2026-21485 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-chp2-4gv5-2432 https://github.com/InternationalColorConsortium/iccDEV/issues/340 https://github.com/InternationalColorConsortium/iccDEV/commit/c136aac51d25cbb4d9db63f071edad4f088843df |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 8.8 | CVE-2026-21676 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j5vv-p2hv-c392 https://github.com/InternationalColorConsortium/iccDEV/issues/215 https://github.com/InternationalColorConsortium/iccDEV/commit/e4c38a67d06073b38d58580b0cfc78ca61005f84 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 8.8 | CVE-2026-21677 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994 https://github.com/InternationalColorConsortium/iccDEV/issues/181 https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2. | 2026-01-07 | 8.8 | CVE-2026-21679 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h4wg-473g-p5wc https://github.com/InternationalColorConsortium/iccDEV/issues/328 https://github.com/InternationalColorConsortium/iccDEV/pull/329 https://github.com/InternationalColorConsortium/iccDEV/commit/2eb25ab95f0db7664ec3850390b6f89e302e7039 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow in `CIccXmlArrayType::ParseText()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21682 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-jq9m-54gr-c56c https://github.com/InternationalColorConsortium/iccDEV/issues/178 https://github.com/InternationalColorConsortium/iccDEV/pull/229 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `icStatusCMM::CIccEvalCompare::EvaluateProfile()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21683 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-f2wp-j3fr-938w https://github.com/InternationalColorConsortium/iccDEV/issues/183 https://github.com/InternationalColorConsortium/iccDEV/pull/228 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21688 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f https://github.com/InternationalColorConsortium/iccDEV/issues/379 https://github.com/InternationalColorConsortium/iccDEV/pull/422 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21692 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7662-mf46-wr88 https://github.com/InternationalColorConsortium/iccDEV/issues/388 https://github.com/InternationalColorConsortium/iccDEV/pull/432 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21693 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v3q7-7hw6-6jq8 https://github.com/InternationalColorConsortium/iccDEV/issues/389 https://github.com/InternationalColorConsortium/iccDEV/pull/432 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-22046 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7v4q-mhr2-hj7r https://github.com/InternationalColorConsortium/iccDEV/issues/448 https://github.com/InternationalColorConsortium/iccDEV/pull/451 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `SIccCalcOp::Describe()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-22047 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-22q7-8347-79m5 https://github.com/InternationalColorConsortium/iccDEV/issues/454 https://github.com/InternationalColorConsortium/iccDEV/pull/459 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-08 | 8.8 | CVE-2026-22255 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv https://github.com/InternationalColorConsortium/iccDEV/issues/466 https://github.com/InternationalColorConsortium/iccDEV/pull/469 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 7.8 | CVE-2026-21486 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 7.5 | CVE-2026-21507 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hgp5-r8m9-8qpj https://github.com/InternationalColorConsortium/iccDEV/issues/244 https://github.com/InternationalColorConsortium/iccDEV/commit/3f3ce789d0d2b608c194ed172fa38943519dc198 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 7.8 | CVE-2026-21673 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6 https://github.com/InternationalColorConsortium/iccDEV/issues/243 https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow vulnerability in IccTagXml(). This issue has been patched in version 2.3.1.2. | 2026-01-07 | 7.8 | CVE-2026-21678 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9rp2-4c6g-hppf https://github.com/InternationalColorConsortium/iccDEV/issues/55 https://github.com/InternationalColorConsortium/iccDEV/pull/219 https://github.com/InternationalColorConsortium/iccDEV/commit/c6c0f1cf45b48db94266132ccda5280a1a33569d |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21681 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v4qq-v3c3-x62x https://github.com/InternationalColorConsortium/iccDEV/pull/269 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagSpectralViewingConditions()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21684 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-fg9m-j9x8-8279 https://github.com/InternationalColorConsortium/iccDEV/issues/216 https://github.com/InternationalColorConsortium/iccDEV/pull/225 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLut16::Read()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21685 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3xr-6687-5c8p https://github.com/InternationalColorConsortium/iccDEV/issues/213 https://github.com/InternationalColorConsortium/iccDEV/pull/223 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLutAtoB::Validate()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21686 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-792q-cqq9-mq4x https://github.com/InternationalColorConsortium/iccDEV/issues/214 https://github.com/InternationalColorConsortium/iccDEV/pull/222 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21687 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7 https://github.com/InternationalColorConsortium/iccDEV/issues/180 https://github.com/InternationalColorConsortium/iccDEV/pull/221 |
| ipaymu--iPaymu Payment Gateway for WooCommerce | The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products. | 2026-01-07 | 8.2 | CVE-2026-0656 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e639aed-ec67-4212-9051-1f7465bbfde2?source=cve https://plugins.trac.wordpress.org/browser/ipaymu-for-woocommerce/tags/2.0.2/gateway.php?marks=316-336,370-380#L316 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429657%40ipaymu-for-woocommerce&new=3429657%40ipaymu-for-woocommerce |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication. | 2026-01-07 | 8.2 | CVE-2019-25279 | Zero Science Lab Vulnerability Advisory IBM X-Force Exchange Vulnerability Entry Packet Storm Security Exploit Entry |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication. | 2026-01-07 | 7.5 | CVE-2019-25278 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry |
| JanStudio--Gecko | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. | 2026-01-07 | 8.1 | CVE-2025-69080 | https://patchstack.com/database/wordpress/theme/gecko/vulnerability/wordpress-gecko-theme-1-9-8-local-file-inclusion-vulnerability?_s_id=cve |
| jwsthemes--FreeAgent | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. | 2026-01-05 | 8.1 | CVE-2025-69087 | https://vdp.patchstack.com/database/wordpress/theme/freeagent/vulnerability/wordpress-freeagent-theme-2-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| Jwsthemes--Issabella | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2. | 2026-01-06 | 8.1 | CVE-2025-69086 | https://patchstack.com/database/wordpress/theme/issabella/vulnerability/wordpress-issabella-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| kanboard--kanboard | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49. | 2026-01-08 | 9.1 | CVE-2026-21881 | https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc https://github.com/kanboard/kanboard/releases/tag/v1.2.49 |
| KlbTheme--Machic Core | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. | 2026-01-05 | 7.1 | CVE-2023-49186 | https://vdp.patchstack.com/database/wordpress/plugin/machic-core/vulnerability/wordpress-machic-core-plugin-1-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| loopus--WP Cost Estimation & Payment Forms Builder | The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently uploading their own database files. | 2026-01-08 | 9.8 | CVE-2019-25296 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae50aa5d-95e3-4650-9dbf-118b4ba3abda?source=cve https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/ https://www.zdnet.com/article/another-wordpress-commercial-plugin-gets-exploited-in-the-wild/ https://wpscan.com/vulnerability/9219 https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-cost-estimation-payment-forms-builder-multiple-vulnerabilities-9-642/ |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication. | 2026-01-07 | 9.8 | CVE-2026-21875 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-j392 |
| Marketing Fire LLC--LoginWP - Pro | Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | 2026-01-05 | 7.5 | CVE-2025-46255 | https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve |
| Meow Apps--Media File Renamer | Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | 2026-01-05 | 9.1 | CVE-2023-50897 | https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve |
| Mojoomla--WPCHURCH | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-07 | 9.3 | CVE-2025-32303 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-sql-injection-vulnerability?_s_id=cve |
| Mojoomla--WPCHURCH | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-06 | 8.1 | CVE-2025-32304 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| moneyspace--Money Space | The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | 2026-01-07 | 8.6 | CVE-2025-13371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164 https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232 https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232 https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232 |
| n/a--GNU Wget2 | A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user's environment. | 2026-01-09 | 8.8 | CVE-2025-69194 | https://access.redhat.com/security/cve/CVE-2025-69194 RHBZ#2425773 |
| n/a--GNU Wget2 | A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities. | 2026-01-09 | 7.6 | CVE-2025-69195 | https://access.redhat.com/security/cve/CVE-2025-69195 RHBZ#2425770 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0. | 2026-01-07 | 10 | CVE-2026-21858 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg |
| n8n-io--n8n | n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended. | 2026-01-08 | 10 | CVE-2026-21877 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263 https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3. | 2026-01-10 | 8.2 | CVE-2026-21898 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function only checks whether gvcid_counter > GVCID_MAN_PARAM_SIZE. As a result, it allows up to the 251st entry, which causes a write past the end of the array, overwriting gvcid_counter located immediately after gvcid_managed_parameters_array[250]. This leads to an out-of-bounds write, and the overwritten gvcid_counter may become an arbitrary value, potentially affecting the parameter lookup/registration logic that relies on it. This issue has been patched in version 1.4.3. | 2026-01-10 | 7.3 | CVE-2026-21897 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-9x7j-gx23-7m5r https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib's KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3. | 2026-01-10 | 7.5 | CVE-2026-22697 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| neeraj_slit--Brevo for WooCommerce | The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_connection_id' parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-08 | 7.2 | CVE-2025-14436 | https://www.wordfence.com/threat-intel/vulnerabilities/id/670f4e26-75c9-40cd-8088-2fa4c40f6feb?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L164 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L171 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L188 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/managers/admin-manager.php#L59 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/views/admin_menus.php#L728 https://plugins.trac.wordpress.org/changeset/3434903/woocommerce-sendinblue-newsletter-subscription |
| NREL--BEopt | NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on WebDAV or SMB shares to execute unauthorized code. | 2026-01-07 | 9.8 | CVE-2019-25268 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange BEopt Product Homepage |
| opajaap--WP Photo Album Plus | The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 7.1 | CVE-2025-14835 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0903521d-3b07-4539-97c9-15e6bbe2cc2e?source=cve https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L43 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L1130 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-filter.php#L125 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-functions.php#L5617 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3427638%40wp-photo-album-plus%2Ftrunk&old=3426267%40wp-photo-album-plus%2Ftrunk&sfp_email=&sfph_mail= |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue. | 2026-01-05 | 7.1 | CVE-2025-61781 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0. | 2026-01-08 | 7.6 | CVE-2026-22230 | url url url |
| OPEXUS--eCase Portal | OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files. | 2026-01-08 | 9.8 | CVE-2026-22234 | url url |
| OPEXUS--eComplaint | OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. | 2026-01-08 | 7.5 | CVE-2026-22235 | url url |
| opf--openproject | OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually. | 2026-01-10 | 9.1 | CVE-2026-22600 | https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh https://github.com/opf/openproject/releases/tag/v16.6.4 |
| Plexus--Plexus anblick Digital Signage Management | Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the 'pagina' GET parameter. Attackers can craft malicious links that redirect users to arbitrary websites by exploiting improper input validation in the parameter. | 2026-01-06 | 9.8 | CVE-2020-36912 | Zero Science Lab Disclosure (ZSL-2020-5573) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry Plexus Vendor Homepage VulnCheck Advisory: Plexus anblick Digital Signage Management 3.1.13 Open Redirect via Pagina Parameter |
| pnpm--pnpm | pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0. | 2026-01-07 | 8.8 | CVE-2025-69264 | https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5 |
| pnpm--pnpm | pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0. | 2026-01-07 | 7.6 | CVE-2025-69262 | https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx https://github.com/pnpm/pnpm/releases/tag/v10.27.0 |
| pnpm--pnpm | pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0. | 2026-01-07 | 7.5 | CVE-2025-69263 | https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85 |
| Pro-Bravia--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. | 2026-01-06 | 7.5 | CVE-2020-36922 | ExploitDB-49187 Sony BRAVIA Digital Signage Official Homepage BRAVIA Signage Software Resources Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5610) Packet Storm Security Exploit Entry CXSecurity Vulnerability Database IBM X-Force Vulnerability Exchange VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated System API Information Disclosure |
| Pro-Bravia--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. Attackers can exploit this vulnerability to hijack user sessions, execute cross-site scripting code, and modify display content by manipulating the input material type. | 2026-01-06 | 7.5 | CVE-2020-36924 | ExploitDB-49186 Sony BRAVIA Digital Signage Product Homepage BRAVIA Signage Software Resources Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5612) Packet Storm Security Exploit Archive IBM X-Force Exchange Vulnerability Entry CXSecurity Vulnerability Listing VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion |
| projectworlds--House Rental and Property Listing | A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-06 | 7.3 | CVE-2026-0643 | VDB-339686 | projectworlds House Rental and Property Listing Signup register.php unrestricted upload VDB-339686 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732563 | projectworlds.com rental And Property Listing Project V1.0 File unrestricted upload https://github.com/1uzpk/cve/issues/4 |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue may occur while encrypting license data. | 2026-01-06 | 8.4 | CVE-2025-47345 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while deinitializing a HDCP session. | 2026-01-06 | 7.8 | CVE-2025-47339 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a video session to set video parameters. | 2026-01-06 | 7.8 | CVE-2025-47343 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a secure logging command in the trusted application. | 2026-01-06 | 7.8 | CVE-2025-47346 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing identity credential operations in the trusted application. | 2026-01-06 | 7.8 | CVE-2025-47348 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when multiple threads concurrently access and modify shared resources. | 2026-01-06 | 7.8 | CVE-2025-47356 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while preprocessing IOCTLs in sensors. | 2026-01-06 | 7.8 | CVE-2025-47380 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while passing pages to DSP with an unaligned starting address. | 2026-01-06 | 7.8 | CVE-2025-47388 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when accessing resources in kernel driver. | 2026-01-06 | 7.8 | CVE-2025-47393 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when copying overlapping buffers during memory operations due to incorrect offset calculations. | 2026-01-06 | 7.8 | CVE-2025-47394 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption occurs when a secure application is launched on a device with insufficient memory. | 2026-01-06 | 7.8 | CVE-2025-47396 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-05 | 8.8 | CVE-2025-15240 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| quickjs-ng--quickjs | A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue. | 2026-01-10 | 7.3 | CVE-2026-0821 | VDB-340355 | quickjs-ng quickjs quickjs.c js_typed_array_constructor heap-based overflow VDB-340355 | CTI Indicators (IOB, IOC, IOA) Submit #731780 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1296 https://github.com/quickjs-ng/quickjs/pull/1299 https://github.com/quickjs-ng/quickjs/issues/1296#issue-3780003395 https://github.com/quickjs-ng/quickjs/commit/c5d80831e51e48a83eab16ea867be87f091783c5 |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker's capabilities would only be limited by role based access controls (RBAC). | 2026-01-08 | 8.5 | CVE-2025-14025 | https://access.redhat.com/articles/7136004 RHSA-2026:0360 RHSA-2026:0361 RHSA-2026:0408 RHSA-2026:0409 https://access.redhat.com/security/cve/CVE-2025-14025 RHBZ#2418785 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. | 2026-01-08 | 7.5 | CVE-2026-0719 | https://access.redhat.com/security/cve/CVE-2026-0719 RHBZ#2427906 https://gitlab.gnome.org/GNOME/libsoup/-/issues/477 |
| Red Hat--Red Hat JBoss Enterprise Application Platform 8.1 | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. | 2026-01-07 | 9.6 | CVE-2025-12543 | RHSA-2026:0383 RHSA-2026:0384 RHSA-2026:0386 https://access.redhat.com/security/cve/CVE-2025-12543 RHBZ#2408784 |
| RED--RED-V Super Digital Signage System RXV-A740R | RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. | 2026-01-06 | 7.5 | CVE-2020-36921 | Zero Science Lab Disclosure (ZSL-2020-5609) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database RED-V Vendor Homepage VulnCheck Advisory: RED-V Super Digital Signage System 5.1.1 Log Information Disclosure Vulnerability |
| remix-run--react-router | React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. | 2026-01-10 | 9.1 | CVE-2025-61686 | https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw |
| remix-run--react-router | React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0. | 2026-01-10 | 8.2 | CVE-2026-21884 | https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7 |
| remix-run--react-router | React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. | 2026-01-10 | 8 | CVE-2026-22029 | https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx |
| remix-run--react-router | React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. | 2026-01-10 | 7.6 | CVE-2025-59057 | https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8 |
| Rustaurius--Five Star Restaurant Reservations | Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. | 2026-01-05 | 8.6 | CVE-2025-68044 | https://vdp.patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be. | 2026-01-10 | 7.5 | CVE-2026-22699 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6 https://github.com/RustCrypto/elliptic-curves/pull/1602 https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991. | 2026-01-10 | 7.5 | CVE-2026-22700 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-j9xq-69pf-pcm8 https://github.com/RustCrypto/elliptic-curves/pull/1603 https://github.com/RustCrypto/elliptic-curves/commit/e60e99167a9a2b187ebe80c994c5204b0fdaf4ab |
| SaasProject--Booking Package | Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. | 2026-01-05 | 7.5 | CVE-2024-30516 | https://vdp.patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-6-27-price-manipulation-vulnerability?_s_id=cve |
| salvo-rs--salvo | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1. | 2026-01-08 | 8.8 | CVE-2026-22256 | https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593 |
| salvo-rs--salvo | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1. | 2026-01-08 | 8.8 | CVE-2026-22257 | https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 9.8 | CVE-2025-15500 | VDB-340345 | Sangfor Operation and Maintenance Management System HTTP POST Request getHis os command injection VDB-340345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727208 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/11 https://github.com/master-abc/cve/issues/11#issue-3770602189 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 9.8 | CVE-2025-15501 | VDB-340346 | Sangfor Operation and Maintenance Management System getCmd WriterHandle.getCmd os command injection VDB-340346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727214 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/12 https://github.com/master-abc/cve/issues/12#issue-3770615262 |
| Sangfor--Operation and Maintenance Management System | A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 8.8 | CVE-2025-15499 | VDB-340344 | Sangfor Operation and Maintenance Management System VersionController.java uploadCN os command injection VDB-340344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727207 | Sangfor Operation and Maintenance Management System (è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ / OSM) 3.0.8 Command Injection https://github.com/master-abc/cve/issues/10 https://github.com/master-abc/cve/issues/10#issue-3770540830 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-10 | 7.3 | CVE-2025-15502 | VDB-340347 | Sangfor Operation and Maintenance Management System session SessionController os command injection VDB-340347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727217 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/14 https://github.com/master-abc/cve/issues/14#issue-3770634476 |
| Sangfor--Operation and Maintenance Management System | A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-10 | 7.3 | CVE-2025-15503 | VDB-340348 | Sangfor Operation and Maintenance Management System common.jsp unrestricted upload VDB-340348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727253 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 Unrestricted Upload https://github.com/master-abc/cve/issues/13 https://github.com/master-abc/cve/issues/13#issue-3770623333 |
| Sfwebservice--InWave Jobs | Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8. | 2026-01-06 | 9.8 | CVE-2025-39477 | https://patchstack.com/database/wordpress/plugin/iwjob/vulnerability/wordpress-inwave-jobs-plugin-3-5-8-broken-access-control-vulnerability?_s_id=cve |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field. | 2026-01-09 | 9.8 | CVE-2025-14736 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts. | 2026-01-09 | 9.1 | CVE-2025-14741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 7.2 | CVE-2025-14937 | https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element |
| Shazdeh--Header Image Slider | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. | 2026-01-06 | 7.1 | CVE-2024-30547 | https://patchstack.com/database/wordpress/plugin/header-image-slider/vulnerability/wordpress-header-image-slider-plugin-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shenzhen Xingmeng Qihang Media Co., Ltd.--QiHang Media Web (QH.aspx) Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner. | 2026-01-06 | 7.5 | CVE-2020-36914 | Zero Science Lab Disclosure (ZSL-2020-5578) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry HowFor Vendor Homepage VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Cookie Authentication Credentials Disclosure |
| solwininfotech--User Activity Log | The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. | 2026-01-07 | 7.5 | CVE-2025-11877 | https://www.wordfence.com/threat-intel/vulnerabilities/id/24225f47-cec2-4270-88f0-8696ebfb7168?source=cve https://plugins.trac.wordpress.org/browser/user-activity-log/trunk/user-functions.php |
| Sony Electronics Inc.--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions. | 2026-01-06 | 9.8 | CVE-2020-36923 | Zero Science Lab Disclosure (ZSL-2020-5611) IBM X-Force Exchange Vulnerability Entry CXSecurity Vulnerability Listing Packet Storm Security Exploit Archive Sony Professional Display Software Product Page BRAVIA Signage Software Resources Sony BRAVIA Digital Signage Official Homepage VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass via IDOR |
| spinnaker--spinnaker | Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This also includes calling internal spinnaker API's via a get and similar endpoints. Further, depending upon the artifact in question, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure. To trigger this, a spinnaker installation MUST have two things. The first is an artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information). The second is a system that can consume the output of these artifacts. e.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to inject that data into the pipeline itself though the pipeline would fail. This vulnerability is fixed in versions 2025.1.6, 2025.2.3, and 2025.3.0. As a workaround, disable HTTP account types that allow user input of a given URL. This is probably not feasible in most cases. Git, Docker and other artifact account types with explicit URL configurations bypass this limitation and should be safe as they limit artifact URL loading. Alternatively, use one of the various vendors which provide OPA policies to restrict pipelines from accessing or saving a pipeline with invalid URLs. | 2026-01-05 | 7.9 | CVE-2025-61916 | https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5. | 2026-01-10 | 7.5 | CVE-2026-22589 | https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795 https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67 https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad |
| staniel359--muffon | muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon's custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue. | 2026-01-05 | 8.8 | CVE-2025-55204 | https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing https://github.com/staniel359/muffon/releases/tag/v2.3.0 |
| SUSE--harvester | Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup. | 2026-01-08 | 9.8 | CVE-2025-62877 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877 https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv |
| SUSE--neuvector | NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks. | 2026-01-08 | 8.8 | CVE-2025-66001 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66001 https://github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5 |
| Tdmsignage--TDM Digital Signage PC Player | TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. Attackers can leverage the 'Modify' permissions for authenticated users to replace executable files with malicious binaries and gain elevated system access. | 2026-01-06 | 8.8 | CVE-2020-36916 | ExploitDB-48953 TDM Digital Signage Official Website Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5604) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: TDM Digital Signage PC Player 4.1.0.4 Privilege Escalation via Insecure Permissions |
| Tencent--WeKnora | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5. | 2026-01-10 | 10 | CVE-2026-22688 | https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb |
| Tencent--WeKnora | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5. | 2026-01-10 | 8.1 | CVE-2026-22687 | https://github.com/Tencent/WeKnora/security/advisories/GHSA-pcwc-3fw3-8cqv https://github.com/Tencent/WeKnora/commit/da55707022c252dd2c20f8e18145b2d899ee06a1 |
| Tenda--AC23 | A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-06 | 8.8 | CVE-2026-0640 | VDB-339683 | Tenda AC23 PowerSaveSet sscanf buffer overflow VDB-339683 | CTI Indicators (IOB, IOC, IOA) Submit #731772 | Tenda AC23 V16.03.07.52 Buffer Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md#poc https://www.tenda.com.cn/ |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | 2026-01-07 | 9.8 | CVE-2026-21854 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73 https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | 2026-01-07 | 9.3 | CVE-2026-21855 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89 |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch. | 2026-01-07 | 7.2 | CVE-2026-21856 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78 https://github.com/the-hideout/tarkov-data-manager/commit/9bdb3a75a98a7047b6d70144eb1da1655d6992a8 |
| ThemeREX Group--Hope | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. | 2026-01-07 | 8.1 | CVE-2025-69081 | https://patchstack.com/database/wordpress/theme/charity-is-hope/vulnerability/wordpress-hope-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| Themesgrove--WidgetKit Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit Pro allows Reflected XSS.This issue affects WidgetKit Pro: from n/a through 1.13.1. | 2026-01-07 | 7.1 | CVE-2025-46494 | https://patchstack.com/database/wordpress/plugin/widgetkit-pro/vulnerability/wordpress-widgetkit-pro-plugin-1-13-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themify--Shopo | Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4. | 2026-01-05 | 9.9 | CVE-2025-31048 | https://vdp.patchstack.com/database/wordpress/theme/shopo/vulnerability/wordpress-shopo-1-1-4-arbitrary-file-upload-vulnerability?_s_id=cve |
| Themify--Themify Edmin |